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ABSTRACT 


This thesis will briefly explore the questions surrounding why prevention has 
typically not been incorporated into homeland security exercises and strives to document 
and demonstrate that prevention can be exercised. It will look at various prevention 
strategies, most notably, “All-Crimes,” Information Sharing, Private Sector Security, 
Attack Trees, Red-Teaming, and Behavioral Analysis, to detennine how these 
prevention-related tools can be integrated into exercise design and conduct. These tools 
can be used in exercises individually or in groups. They are, however, not the end-state, 
as other tools undoubtedly exist. Prevention as a science and a skill is still in its infancy; 
with additional research, analysis, and practice, maturity will come. 

This thesis also endeavors to provide a road map for agencies desiring to 
understand and exercise prevention activities. Understanding that prevention can be 
practiced and exercised through the use of certain tools is one significant step in having 
the guidance necessary to begin a prevention exercise, or better, a complete prevention 
exercise program. Agencies using these tools, working within the Homeland Security 
Exercise and Evaluation Program (HSEEP) Guidelines, and using technical expertise 
available from local, national, and federal subject-matter experts, should have that road 
map. 
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I. INTRODUCTION 


A. OVERVIEW 

Traditionally, homeland security exercises have focused on the activities of first 
responders. This is not surprising since responder activities are the easiest to 
conceptualize, the most straightforward to plan and the simplest to objectively document. 
Moreover, response and recovery plans are relatively easy to test and stress. This usually 
requires simply pushing more victims at responders until the system can no longer handle 
the flow. Response exercises, perhaps the most common type, are generally conducted on 
one of several levels including seminars, workshops, tabletops, games, drills, functional 
and full-scale. These exercises usually produce concrete information easily reviewable by 
budget-writers and decision-makers—this is frequently true of mitigation and recovery 
exercises as well. Additionally, after-action reports, lessons-learned and improvement 
plans from response exercises are generally clear-cut and relatively easy for other 
responders to relate to and understand. 

Prevention, however, is a more imprecise discipline than response. Certain 
aspects of prevention, such as target hardening and Crime Prevention Through 
Environmental Design (CPTED), can produce tangible results, but they are primarily 
long-term capital investment strategies and do not lend themselves well to the exercise 
process. 

The National Strategy for Homeland Security features prevention prominently 
although it may be the least understood element of the strategy. Superficially, it is a 
seemingly simple concept but in relation to homeland security planning, training and 
exercising, the term is sometimes used ambiguously. 

In reviewing lessons learned, agencies focus on what went wrong the last time but 
spend little effort detennining what will go wrong in a future, different event. Prevention 
is difficult to define or measure. If it works, nothing goes wrong. Moreover, stressing 
prevention systems can be done by simply overloading the system with information, 
intelligence, or adversaries to the point that the system is no longer effective. This only 
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proves, however, that any system can be overloaded. Considering these difficulties, it is 
therefore not surprising that homeland security drills and exercises have not yet, to any 
significant extent, focused on prevention-related activities. 

At the state and local level, some agencies believe they have been left on their 
own to craft prevention strategies. This contention is confirmed by a report from the 
Police Executive Research Forum (PERF), which observed that: 

...on a national level, law enforcement is just beginning to develop 
comprehensive and detailed strategies for prevention and responding to 
terrorism and is searching for direction and guidance to inform their 
development of homeland security plans. PERF says “too many” of these 
agencies “are unsure of what their part should be” in preventing and 
responding to terrorism, and local homeland security planning efforts to 
date consequently have been characterized by a “lack [of] a strong 
unifying strategy and coordinated approach with other jurisdictions and 
with agencies at other levels of government.” Moreover, PERF said, “even 
those [agencies] that feel certain of their charges must make significant 
changes to their structure, policies, procedures, personnel expertise, 
training and budgets - all with only their own guidelines or standards to 
ensure success. 1 

Clearly, as prevention is an emerging discipline and not always plainly and 
uniformly defined, much work remains. 

This thesis will briefly explore the questions surrounding why prevention has 
typically not been incorporated into homeland security exercises. It will also look at 
various strategies, most notably those concerning traditional crime prevention, 
intelligence, red teaming, and behavioral analysis, to determine how these prevention- 
related strategies can be integrated into homeland security exercise design and conduct. 
Ultimately, this thesis will provide answers to government agencies, primarily at the local 
and state level, which seek to supplement their traditional response, recovery, and 
mitigation efforts with the vastly more difficult task of preventing terrorism in the first 
place. 


1 Gwen A. Holden, Building a Homeland Security Strategy’: State and Local Law Enforcement on the 
Line (Washington D.C., Branch Office: University of Pennsylvania’s Jerry Lee Center of Criminology, 
2003), 2. 
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According to the National Strategy for Homeland Security, prevention is the 
nation’s first homeland security strategic objective. 2 However while most layers of 
government are trained, practiced, and experienced, to varying degrees, in response and 
recovery, those same layers are not particularly well trained, practiced or experienced in 
prevention. Recently, with the TOPOFF (Top Officials) series of national homeland 
security exercises, and an exercise conducted in 2005 by the Department of Homeland 
Security and the Upstate New York Regional Intelligence Center, prevention has played a 
more important, albeit still minor, role than in the past. Fortunately, as the importance of 
prevention is increasingly acknowledged and accepted, and additional research is 
completed, we begin to get better at learning about prevention. While exercises can help 
plan, train and assess response and recovery readiness, they can also be used to plan, 
train, and assess prevention readiness. This thesis will attempt to provide guidance on 
improving prevention readiness by exploring various ways to incorporate prevention 
strategies into homeland security exercises. 

To implement a prevention exercise program, individually, or as part of larger, 
more comprehensive, exercises, state and local jurisdictions need a roadmap that explains 
the benefits, provides clear direction on how to begin the process, and if possible, 
provides financial and technical assistance to agencies that require it. This thesis, by 
detailing specific tools, will attempt to provide some of the guidance necessary to 
accomplish this task. 

Currently, the most widely used and funded exercise methodology for validating 
and enhancing homeland security capabilities at the local, state, and national levels is the 
Homeland Security Exercise and Evaluation Program (HSEEP). Recently, DHS released 
a working draft of HSEEP V, Terrorism Prevention and Deterrence. HSEEP V is 
modeled after and designed to be consistent with HSEEP Guides I-IV and is intended to 
be a living document that will evolve along with the emerging disciplines of exercising 
and prevention. 


2 Office of Homeland Security, National Strategy for Homeland Security (Washington, D.C.: GAO, 

2002 ), 2 . 
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There are many benefits to exercises. Exercises can improve performance, 
identify areas in need of improvement, and improve intelligence gathering and sharing 
capabilities. Most importantly, however, on-going, realistic prevention-oriented exercises 
may result in actual improvements in society’s ability to prevent terrorism. 

B. LITERATURE REVIEW 

A review of available literature finds that general information on exercises is 
widely available as is information on the importance of including prevention in plans and 
strategies. The most prominent of these is the National Strategy for Homeland Strategy, 
which lists prevention as the first strategic objective of various national strategies. This 
review also finds that little research has been done on prevention models that can be 
incorporated into homeland security exercises. The Homeland Security Exercise and 
Evaluation Program (HSEEP) Guides l-IV mentions the importance of including 
prevention in homeland security exercises many times. For example, HSEEP I suggests 
that prevention exercises focus on issues pertaining to the following: 3 

1. Information and intelligence sharing 

2. Credible threats 

3. Surveillance 

4. Opposing/adversary force or “red team” activity 

Unfortunately, HSEEP Guides I-IV provide little specific direction on what these 

methods and tactics should look like in homeland security exercises, and instead leave 
much of that detail for readers to determine for themselves. As it is an exercise program, 
HSEEP generally does not offer tactical-level operational guidance. 

This lack of specific guidance is not uncommon. The Office for Domestic 
Preparedness (ODP) published its Guidelines for Homeland Security-Prevention and 
Deterrence in 2003. Though the document cites exercises twenty seven times, most of the 
references focus only on the need to include prevention in exercises and not on how this 
should be accomplished. The Guidelines for Prevention and Deterrence, however, was 
not written to as a ‘how-to’ guide. 


3 U.S. Department ofHomeland Security, Homeland Security Exercise and Evaluation Guide, ed., 
Volume I: Overview and Doctrine (Washington, D.C., 2004), 14. 
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The U.S. Government Accounting Office (GAO) has issued several reports, 
which analyze federal level counterterrorist exercises and detail how improvements can 
be made, including the publications Combating Terrorism: An Analysis of Federal 
Counterterrorist Exercises and Combating Terrorism: Issues to Be Resolved to Improve 
Counterterrorist Operations. These works focus primarily on statistics but also provides 
some limited guidance on information sharing and cooperation among agencies. 
Examples of prevention can be found in research conducted by Bach. 4 This work focuses 
solely on border security; however, his discussion of deterrence strategies such as the 
Cargo Security Initiative may be instructive. As mentioned previously, the Department of 
Homeland Security HSEEP Guidelines provide specifics on the implementation of an 
effective exercise program and more limited general direction on the incorporation of 
prevention into actual exercises. Recently, DHS published the HSEEP V: Prevention and 
Deterrence Exercises, which provide significantly more substantial direction for agencies 
to follow. 

There is recent research and guidance, albeit sometimes peripheral to the author’s 
primary topic, on the overall prevention of terrorism. Longshore, for instance, has written 
that we must recognize that the prevention of terrorism will not always be a direct result 
of prevention efforts, but may also be related to other tactics that are more broadly 
directed at the suppression of crime and other factors. 5 His research, along with that of 
Docobo, suggests that traditional crime prevention efforts can be applied to homeland 
security efforts. 6 

Work by Dailey has produced a specific counter-terrorism plan, with 
accompanying training, for police patrol officers. 7 This is important because if a plan can 

4 Robert Bach, “Transforming Border Security: Prevention First,” Homeland Security Affairs 1, no. 1 
(Summer 2005). 

5 David N.M. Longshore, “The Principles of Prevention and the Development of the Prevention 
Triangle Model for the Evaluation of Terrorism Prevention” (Master's Thesis, Naval Postgraduate School, 
Monterey, CA, 2005), 38. 

6 Jose M. Docobo, “Community Policing as the Primary Prevention Strategy for Homeland Security at 
the Local Law Enforcement Level” (Master's Thesis, Naval Postgraduate School, Monterey, CA, 2005), 34. 

7 Thomas J. Dailey, “Implementation of Office for Domestic Preparedness Guidelines for Homeland 
Security June 2003 Prevention and Deterrence” (Master's Thesis, Naval Postgraduate School, Monterey, 
CA), 2005. 
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be trained it can be exercised. Typically, training and exercising contain elements of both 
learning and practice; however, as used here, training is primarily the act of learning, 
while exercising is primarily the act of practicing. When you practice, you prepare. One 
area where both training and exercising have proven more difficult is in the area of 
intelligence gathering and analysis. 

The intelligence function has a significant role in homeland security prevention 
but there appears to be a tendency to only superficially integrate this discipline into 
homeland security exercises. This may be understandable because, like prevention, 
intelligence is difficult. Only recently, during TOPOFF 3 and the prevention exercise 
held by the Update New York Regional Intelligence Center (UNYRIC) has intelligence 
begun to play a larger role of terrorism prevention. Pointing the way towards more 
effective use of intelligence in homeland security exercises will require a review of the 
progression of the role of intelligence in exercises. Additional literature on the subject 
includes the aforementioned U.S. Government Accounting Office reports on Federal 
Counterterrorism Exercises and the U.S. Homeland Security Exercise and Evaluation 
Program Guidelines. 

A final area of research is in the use of red teaming to support prevention in 
homeland security exercises. Red teaming has long been used in the military. As it 
applies to homeland security, it involves thinking or acting like a terrorist in an effort to 
identify security weaknesses and potential targets. Red teaming can be accomplished 
through field-based physical operations or on an analytical level through discussions. 
This thesis will address only how best it can be used as a prevention tool in homeland 
security exercises. Available literature on red teaming is limited. The Department of 
Homeland Security is writing a red team manual and the U.S. Army is developing a 
multi-week red teaming course curriculum. Additionally, after-action reports from 
exercises possessing prevention components are extremely helpful. 

The difficulty with pure research is in determining, from this basis alone, whether 

the nation will be safer because of the implementation of prevention strategies into 

homeland security exercises. The answer to that question, while intuitively positive, is 

also, ultimately, unknowable. Like prevention itself, measuring the success of prevention 
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efforts is difficult. Prevention is a negative quantity. Furthermore, a reduction is some 
static measure of success, for example, the number of terrorist incidents, may simply 
mean that terrorists, independently, have decided to focus on fewer, but larger and more 
damaging attacks. This type of asymmetric change in tactics could hardly be counted as a 
success. These difficulties are a significant reason for the increasing use of capabilities- 
based planning. Capabilities can, for the most part, be measured. 

C. METHODOLOGY 

A full examination of prevention-oriented homeland security exercises will 
require an understanding of homeland security exercise history, design, and development. 

Research for this thesis focuses on the logic, strategy, and success of homeland 
security exercises, particularly those with after-action analysis and comments. It attempts 
to identify existing practices that can be incorporated into exercises and used as tools to 
further prevention efforts. The tools researched and evaluated include ‘all-crimes’ 
strategies, information-sharing, red-teaming, attack trees, behavioral analysis, and the 
incorporation of private sector security into training and exercise programs. 

This thesis will establish various best practices for prevention activities from 
corollary models found in prior and planned future exercises, particularly as they may 
apply to local and state agencies. Review by subject-matter experts will ensure 
information is analyzed correctly and recommendations are both sound and realistic. 
Ultimately, this research is intended to assist in the development of guidelines on how to 
design, develop, and conduct prevention-oriented homeland security exercises. 

D. HISTORICAL CONTEXT 

There has been no shortage of emphasizing the prevention of terrorism as the 
highest priority of the United States in the so-called ‘global war on terrorism’. Shortly 
after the attacks of 9/11, President Bush created the Office of Homeland Security and 
appointed then Governor Tom Ridge as the Director. The first action of this new office 
was to draft and publish the National Strategy for Homeland Security. That strategy 
designated prevention as the nation’s first priority. Since then, several legislative and 
executive actions have further driven this priority. Examples include the U.S. Patriot Act, 
Executive Orders 13356 and 13388, the Intelligence Reform Act of 2004 and others. To 
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further support prevention, there have also been various policy initiatives such as the 
Homeland Security Grant Program, the Law Enforcement Terrorism Prevention Program, 
and the DOJ and DHS led effort to create Fusion Center Guidelines through the Global 
Justice Information Sharing Initiative. 

All of these initiatives recognize the importance of the prevention mission, but 
also the difficulty in actually doing it. In June 2003, the Office for Domestic 
Preparedness published the Guidelines for Prevention and Deterrence, which provides 
some context on how to view this mission area. 8 The guidelines were not written as a 
‘how to,’ but rather to provide aspects to consider when enhancing prevention 
capabilities. Though the Prevention and Deterrence Guidelines publication helps to frame 
what the prevention mission might look like, it does not offer guidance on how 
prevention can be exercised. Even with the guidelines, increased prevention abilities will 
not come without some operational, technical, and perhaps cultural changes in many 
organizations at all levels of government, and these skills and abilities will not be realized 
without training, exercising, and structure. 

Currently the most widely utilized and funded exercise methodology for 
validating and enhancing homeland security capabilities at the local, state, and national 
levels, is the Homeland Security Exercise and Evaluation Program (HSEEP). HSEEP was 
created in 2003 by examining and integrating parts of numerous legacy exercise 
programs that supported events such as natural disasters, radiological/nuclear incidents, 
chemical facility breeches, and even WMD terrorism. Some of these programs included 
FEMA’s Radiological Emergency Preparedness (REP) and Comprehensive Exercise 
Programs, the U.S. Army’s Chemical Stockpile Emergency Preparedness Program 
(CSEPP), and the Nunn-Lugar-Domenici Act’s Domestic Preparedness Program (DPP). 
Although fundamental similarities existed in each of these programs’ exercise 
methodologies, each was created, implemented, and managed by separate government 
program offices and their individual contract support teams, not to mention that each was 


8 U.S. Department of Homeland Security, Guidelines for Homeland Security, Prevention and 
Deterrence (Washington, D.C., 2003). 
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driven by unique federal grants and, in some cases, statutory requirements. Finally, 
virtually none of these exercise programs placed prevention as its highest priority or, in 
most cases, even in their list of requirements. 9 

The Nunn-Lugar-Domenici Act (NLD-DPP) was a first of its kind effort by the 
Federal Government to provide direct preparedness support to state and local 
governments focused exclusively on the threat of terrorism. The DPP was funded and 
administered through the NLD Act, first under the Department of Defense, then 
Department of Justice, and finally the Department of Homeland Security. The Act 
provided for three exercises in each of the 120 most populated cities in the U.S., 
according the 1990 census. The exercises consisted of a chemical weapons tabletop, 
biological weapons tabletop, and a chemical weapons full-scale, each focused exclusively 
on response operations. 

The most valuable effort undertaken to date describing the prevention mission has 
been by way of presidential directive. Homeland Security Presidential Directive 8 
(HSPD-8), which tasked the Secretary of DHS to, among other things, develop a National 
Preparedness System. In response to this directive, a comprehensive effort was 
undertaken to describe, the homeland security mission in detail. Two products were 
designed to accomplish this task. The Target Capabilities List (TCL) and the Universal 
Task List (UTL). The TCL consists of 37 capabilities and includes descriptions of what is 
required to sustain the four primary areas (prevention, protection, response, and recovery) 
that comprise the homeland security mission. Theoretically, if a state or local government 
can show that it has the ability to fully and effectively sustain these 37 capabilities, then it 
could argue that it is ‘mission-ready’, to the maximum extent possible, in regards to 
homeland security. Along with the TCL is the Universal Task List (UTL). Using the 
previous example, if an organization can show that it has the ability to effectively 
maintain the 37 target capabilities, that means then that it should be able to perform all of 


9 Significant portions of this section are based on interviews, discussions and correspondence the 
author had during the period January-August 2006 with Brady K. O'Hanlon, formerly the Program 
Manager of the DHS Terrorism Prevention Exercise Program (TPEP). 
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the tasks illustrated in the UTL. This, of course, is only an ideal and no single agency is 
expected to perform to this level. Five of the ‘target capabilities’ that specifically relate to 
prevention are the following: 10 

• Infonnation Gathering & Recognition of Indicators and Warnings; 

• Intelligence Analysis & Production; 

• Intelligence / Infonnation Sharing & Dissemination; 

• CBRNE Detection; and 

• Law Enforcement Investigation & Operations 

These five capabilities comprise, for all practical purposes, the generally accepted 
description of what the mission of prevention is today. The products created in response 
to HSPD-8 hope to offer to the homeland security community, a clear, common, 
operating picture that describes what prevention should look like. From these definitions 
and tools, the U.S. National Exercise Program (NEP) has drafted HSEEP V-Prevention 
and Deterrence Exercises. HSEEP V is intended to guide jurisdictions on how to exercise 
the target capabilities they have worked to attain. 11 


10 U.S. Department of Homeland Security, “Target Capabilities List-Draft Version Two” 
(Washington, D.C., 2005). 

11 U.S. Department of Homeland Security, Homeland Security Exercise and Evaluation Guidelines. 
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II. STRATEGIES AND TOOLS 


A. ALL-CRIMES 

1. Introduction 

Crime prevention is one of the most important tasks of law enforcement, and 
while the prevention of crime is more difficult to accomplish than response, it is of 
infinitely more value. Of course, the rapid enforcement of crime might also serve as a 
form of deterrence and therefore prevention. For instance, a suicide terrorist is usually the 
last link in a long organization chain that involves numerous actors. Once the decision to 
launch a suicide attack has been made, its implementation requires at least six separate 
operations: target selection, intelligence gathering, recruitment, physical and ‘spiritual’ 
training, preparation of explosives, and transportation of the suicide bombers to the target 
area. Each of these steps presents itself as a target for prevention efforts. 

Law enforcement organizations may take different approaches to terrorism 
prevention. On one hand, departments may view terrorism in isolation, as a rare 
occurrence or remote possibility. Based on this view, a department would organize a 
unique counterterrorism unit, intelligence unit or simply provide staffing to a local Joint 
Terrorism Task Force (JTTF) and assume that all that can be done is being done. 
However this narrow perspective would not allow for all of the existing knowledge, skills 
and abilities of the agency, obtained from decades of experience in fighting traditional 
crime, to be used in the fight against terrorism. Law enforcement can and should employ 
tactics that have been effective in fighting crime. 

While acknowledging that police departments may take differing approaches to 
the incorporation of homeland security duties into law enforcement priorities, a 
preponderance of states and experts believe that a nexus exists between traditional crimes 
and terrorism. 12 Focus solely and specifically on terrorism can lead to missing clues 
about terrorism and terrorists that might otherwise be found in cases involving traditional 
crime. 

12 Council of State Governments, The Impact of Terrorism on State Law Enforcement (Washington, 
D.C., 2005), 19. 
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A better approach would be modeled after the ‘all-hazards’ approach common 
among emergency planners. A report from the Police Executive Research Forum (PERF) 
states that many in local law enforcement recommend an ‘all-crimes’ approach to 
intelligence and information sharing for terrorism and other crimes. 13 There is a further 
extension of this philosophy that could be described as ‘cross-crimes.’ Focusing on all 
crimes indicates that a law enforcement agency will look at any criminal matter as 
potentially terrorism-related. This would be a tall order for any organization. A more 
logical and common sense approach would be to focus on those crimes that are more 
frequently interrelated with terrorism. 

The motives of terrorists and other criminals are rarely aligned, however, 
similarities can be found in the behaviors and methods of terrorists and organized 
criminals. For example, terrorists operating in cells may not always receive organized or 
centralized financing and therefore must generate their own. They must acquire funds 
without attracting the attention of law enforcement. Like traditional white-collar 
criminals, terrorists also rely on fraud in many of its forms to support themselves and 
their networks. 

Still, traditional criminal organizations are not similar to terrorist organizations in 
every way. Typically, terrorists are not significantly involved in street level crime. Unlike 
most street crime, terrorism usually requires careful planning over long periods and 
involves other actors. Indicators of terrorism such as explosives and extremist literature 
may not typically be found on non-terrorist criminals. Finally, terrorist activities do not 
always generate reasonable suspicion and terrorists themselves have typically strived to 
blend in and to remain relatively anonymous. 

2. Crime vs. War 

At the macro level, there is an on-going debate regarding the very nature of 
terrorism. The two schools of thought view terrorism as either criminal in nature or as 
acts of war. These extremes, however, assume there is no middle ground. Is it not 
possible that terrorism can involve both war fighting and crime fighting? To be effective, 

13 Police Executive Research Forum, Protecting Your Community from Terrorism: Strategies for 
Local Law Enforcement, vol. 5, Partnerships to Promote Homeland Security’ (Washington, D.C., 2002), 80. 


12 



indeed, to be of any use at all, law enforcement must regard the fight against terrorism as 
a matter of crime fighting. While many have previous military experience, generally, 
police officers are not institutionally trained or experienced in war fighting. Conversely, 
particularly in countries outside of the United States, the skills and resources of the 
military must see the battle against terror as one that requires war-fighting capabilities. If 
the national-level struggle is a war, then the state and local level struggle can be criminal. 
This way, the most appropriate resources address the problem. 

Most of the successful efforts in the United Kingdom have been crime-fighting 
efforts. This is the same as in much of the European Union, which generally focuses on 
four components: suppressing terrorist financing, legislatively defining terrorism as a 
crime, strengthening immigration policies, and intelligence collection. In his book 
Strategies for Countering Terrorism: Lessons from the Israeli Experience , Tucker points 
out that “most countries view terrorism as a crime and believe that retribution for terrorist 
acts should be pursued through the legal process.” Israel may be the only open and 
democratic society truly fighting terrorism like a war with targeted killings and other 
military tactics. 14 

Chainnan of the Joint Chiefs of Staff General Richard Myers stated in 2004 that, 
“if you call [terrorism] a war, then you think of people in uniform as being the 
solution...terrorism is a peacetime problem, which must be about using peacetime 
remedies.” Both he and Secretary of Defense Donald Rumsfeld have expressed a 
preference for the tenn ‘global struggle against violent extremism’ over ‘global war on 
terror.’ Even President Bush has referred to the attacks on the World Trade Center in 
2001 as both criminal acts and acts of war. 


14 Jonathan B. Tucker, “Strategies for Countering Terrorism: Lessons from the Israeli Experiment,” 
Journal of Homeland Security (March 2003), 3. 
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3. Organized Crime 

One avenue for criminal investigators would be to look at organized criminals for 
links to terrorists. In a recent study, researchers asserted that it is “...well known that 
terrorists have affiliations with organized crime.” 15 If so, then investigations should strive 
to expose those links. 

The same report identifies similarities between the tactics of terrorist 
organizations and those of traditional organized crime. Both groups commit fraud and 
theft. Both also are known to traffic in drugs and human beings, and commit extortion 
and bribery. Terrorists have created shell companies, used chartable organizations, sold 
counterfeit goods, evaded taxes, and committed immigration and insurance fraud and 
forgery to generate or hide funds. Finally, both groups also may be involved in legitimate 
business to aid and conceal their actual motives. 

It is not unheard of for ties between criminals and terrorists to be close and 
collaborative. This situation is more common in developing nations than elsewhere. In 
more developed countries, terror-crime relationships are more likely to be based on short¬ 
term needs and not involve long-term interaction. 

Another area that warrants close attention is drug trafficking. Though links 
between drug traffickers and terrorist organizations are undoubtedly closer in other 
regions including parts of South America and Asia, a recent FBI bulletin reported that 
“Drug trafficking represents a significant and possibly growing source of revenue for 
terror groups...cells may employ drug trafficking to raise funds at a local level. Law 
enforcement can exploit this possible dependence on drug trafficking by international 
terrorist cells to detect and disrupt terrorist operations.” 16 Considering the size and scope 
of the illegal drug market in the United States, this would seem a fruitful area for law 
enforcement attention. 


15 Louise Picarelli, John Shelley, Allison Irby, et al., “Methods and Motives: Exploring Links between 
Transnational Organized Crime & International Terrorism” (Washington, D.C., U.S. Department of Justice, 
2005), 9. 

16 Federal Bureau of Investigation: Counterterrorism Division, “Intelligence Bulletin: Drug 
Trafficking and International Terrorism,” November 16, 2005. 
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4. White Collar Crime 

Perhaps the most obvious and probably the most common nexus between 
traditional crime and terrorism can be found in the area of white-collar crime. Money is 
the fuel for most crimes and while the goal of terrorism does not generally involve 
money, it is used to accomplish larger terrorist goals. The need for secrecy during 
terrorist planning can require anonymity and the use of deceptions. For example, money 
may be laundered to hide the source and destination of funds and false identification may 
be used to enable travel. An FBI brochure called The Role of Police in Combating 
International Terrorism, states, “False documents are the life-blood of the terrorist’s 
covert existence.” 

An analysis by the National White Collar Crime Center (NWC3) of 100 terror- 
related federal criminal cases found that every case included charges for some type of 
white-collar crime falling under one or more of six different fraud categories including 
document, financial, credit card, immigration, and mail, wire and tax fraud. Table 1 lists 
the charges filed in the 100 case sample: 17 


Table 1. Charges Filed in Case Sample 


White-Collar Crime Category 

% of Charges Filed 

Identification Document Fraud 

54% 

Financial Fraud 

16% 

Immigration Fraud 

16% 

Credit Card Fraud 

10% 

Mail and Wire Fraud 

4% 

Tax Fraud 

1% 


5. Examples of Terror-Crime Nexus 

It is generally well known that several of the 9/11 terrorists, including Muhammad 
Atta, had been stopped by local law enforcement for various offenses prior to the attacks. 
There are, however, also examples that illustrate the nexus between traditional crime and 
terrorism. 


17 John Kane, April Wall, “Identifying the Links Between White-Collar Crime and Terrorism,” 
(Richmond, VA, National White-Collar Crime Center, 2005), 3. 
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One of these crime prevention examples occurred in 1995 in the Statesville and 
Charlotte areas of North Carolina. An off-duty sergeant from the local sheriffs office 
observed three Arabic speaking men purchasing a huge amount of cigarettes at a local 
discounter and paying for it with large amounts of cash wrapped in rubber bands inside 
shopping bags. His initial suspicions ultimately led to a multimillion-dollar tobacco 
smuggling ring. That was the case, however. Further investigation revealed that the 
suspects were actually Hezbollah operatives funneling cash and specialized equipment 
back to the Middle East. Estimates are that the group generated over eight million dollars 
before being caught. The money had been used to purchase night vision goggles, mine 
detectors, blasting equipment, GPS devices, and other paramilitary equipment. Not 
coincidentally, the group and its members were also involved in a range of other criminal 
activity including bribery, credit card fraud, identity theft, tax evasion, and money 
laundering. Though the group was involved in vast numbers of crimes, most of the 
activities were deliberately kept at a low level and went undetected by local law 
enforcement. Describing the group, one FBI agent involved in the case stated, “They’re 
best described as part-time terrorists and full-time criminals.” 18 

Another example occurred in Colorado in the 1980’s. In 1985, after bombings in 
Detroit and Seattle, investigators began tracking members of a group known as al Fuqra. 
During the investigation, an Englewood Colorado police sergeant stopped a suspicious 
vehicle in which the driver was carrying a homemade weapon. A multi-year investigation 
ensued. In 1989, a search of a storage locker turned up 30 pounds of explosives, pipe 
bombs and other IED’s, shape charges, handguns, documents related to military training, 
target lists, guerilla warfare, bombing, sniping and surveillance, and evidence of 
document fraud including 54 blank birth certificates from two different states. Several 
documents contained plans for the murder of a person living in a mosque in Arizona. 
Two weeks after investigators identified and interviewed the subject in Arizona, he was 
found stabbed to death by an unknown assailant. A knife attack was one of the methods 
described in the documents found in Colorado. 


18 David E. Kaplan, “Homegrown Terrorists: How a Hezbollah Cell Made Millions in Sleepy 
Charlotte, N.C.,” U.S. News and World Report, March 10, 2003. 
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Interestingly, a private security business, Professional Security International (PSI) 
was associated with a number of al-Fuqra members and was found to have been used to 
facilitate money laundering and transfers and provide information for terrorist planning. 
The company was able to negotiate security contracts with the federal government and 
international airports, al Fuqra had been using PSI and several other security businesses 
for these activities. Unfortunately, the State of Colorado had no system for regulating the 
operation of security companies. 19 

6. Methodology to Identify Terror-Crime Interaction 

In the previously mentioned report on the links between organized crime and 
international terrorism, researchers developed what they describe as a “groundbreaking 
methodology for analysts and investigators to...identify crime-terror interactions more 
quickly and to assess their importance with confidence.” 20 

Researchers noted that terror-crime interaction is frequently discovered only by 
accident due to close analysis of specific terror groups and their activities. Discoveries of 
this type preclude the identification of patterns of crime, but are obtained only after 
specific terror groups have already been identified. Based on this finding, the research 
team developed a methodology to identify positive indicators of terror-crime interaction 
and further, to eliminate irrelevant data. They call this method preparation of the 
investigative environment (PIE). See Figure 1. 


19 Kane and Wall, “Identifying the Links,” 29. 

20 Picarelli, Shelley, Irby et al., “Methods and Motives,” 4. 
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Figure 1. Preparation of the Investigation Environment (PIE) 


PIE involves taking existing data and identifying specific examples of terror- 
crime interaction for the purpose of recognizing and thereby preventing planned terrorist 
activity. PIE separates data into three analytical components—criminal and terrorist 
network organization, the environment, and behavior. From these components, researcher 
selected twelve ‘watch points’, or indicators, that lead to a level of suspicion that 
warrants further investigation. The watch points are fully described in Appendix B. 

The process begins with identifying areas where associations between traditional 
crime and criminals and terrorists are most likely to occur. The next step requires analysis 
of watch points to determine where overlaps are likely to occur. The final step is to 
collect and analyze information where terrorists and criminals appear to cooperate. 
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While no known methodology will produce positive results every time, the benefit 
of any effective system will be to ensure that investigators and analysts are devoting time 
and resource to areas that objective analysis demonstrates is most likely to lead to valid 
information and therefore successful intervention and prevention. 

7. Conclusion 

While an ‘all-crimes’, or ‘cross-crimes’, emphasis by law enforcement in dealing 
with terrorism may be useful, the topical question is whether this approach can be 
exercised as part of a terrorism prevention scenario. Evidence points to clear and 
dangerous links between organized crime and terrorists. Furthermore, one axiom among 
white-collar crime investigators is ‘follow the money’, and this saying appears to apply 
equally well to terrorist organizations. 

Perhaps the more relevant question is how can terror-related crime be exercised. 
The answer, in part, is that intelligence-oriented exercises can be altered to incorporate a 
broader range of criminal activity. This can be done at the level of analysis, but prior to 
that, it can also be done by incorporating indications and warnings of those crimes most 
frequently linked to terrorist network and cell activities. In addition to intelligence, fusion 
centers can add crime analysts and exercise their skills and abilities as part of prevention 
exercises. Finally, using a formal methodology based on empirical data will direct 
resources to those areas most apt to generate positive results. 

Prevention exercises, while not law enforcement exclusive, almost by definition 
are law enforcement centric. Even if other non-law enforcement collaborators in 
homeland security efforts accept this viewpoint, it does not lend itself to equal 
partnerships, and therefore, it may be difficult to obtain as much buy-in from non-law 
enforcement agencies as may be ideal. Finally, the exercise of prevention is complex and 
not well understood. This can lead to apprehension on the part of agencies considering 
the exercise of prevention activities. Having a level of comfort is not an absolute 
requirement, but a lack of comfort should be acknowledged and addressed. Ultimately, 
providing clear guidelines, useful tools, and technical and financial assistance will help to 
overcome many of these obstacles, and most of this should come from the federal 
government. 
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B. INFORMATION SHARING ENVIRONMENT ANALYSIS 

Agencies considering prevention exercises should view intelligence challenges 
from an ‘all-crimes’ perspective, which is similar to the ‘all-hazards’ approach used for 
most preparedness activities. This approach is becoming more widely accepted with the 
recognition that terrorism intelligence at the state and local level will likely not be as 
effective unless analysts have access to traditional criminal infonnation. It is not 
uncommon for terrorists to be involved in precursor crimes of one kind or another, which 
could provide analysts additional opportunities to recognize potential threat elements. 21 
The Washington [State] Joint Analytical Center (WAJAC) and the recently opened Los 
Angeles Joint Regional Intelligence Center (JRIC) both recognize the value of the all¬ 
crimes approach and have adopted it as part of their core operations. 22 

Exercising state or local capabilities to prevent terrorism is best done in a multi- 
jurisdictional environment. Terrorists do not recognize borders, therefore, the flow of 
information and intelligence should not either. Rarely would terrorist planning, 
surveillance, movement, or other activities all occur in one sector or discipline of our 
response or civilian communities. In addition, prevention exercises involving the 
intelligence function of just a single agency would be more similar to training than 
exercising. 

1. Problems with the Current Approach 

The field of intelligence is vast, complicated, and after decades of relative secrecy, 
increasingly well documented. Much of this documentation relates to the many and 
varied problems in the federal intelligence community; intelligence roles and 
responsibilities that sometimes conflict; a lack of trust between organizations tasked with 
sharing infonnation; users having difficulty accessing the information they need; and, 


21 One example is the cigarette smuggling case in North Carolina, which involved Hezbollah 
operatives. More can be found in the following article. Sari Horwitz, “Cigarette Smuggling Linked to 
Terrorism,” Washington Post, June 8, 2004, sec. Metro-Crime. A01. 

22 Patrick McGreevy, “L.A.'s Counter-Terrorism Team May Get Permanent Status,” Los Angeles 
Times, February 3, 2006. 
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technological systems that are frequently incompatible. 23 These operational and relational 
issues are in addition to the need to ensure that legal rulings, polices, and guidelines are 
followed and in sync with prevention oriented plans and operations. 

The problems may be no better at the state and local levels. Law enforcement gets 
little guidance on what it should be looking for and only the largest police departments 
devote resources to a potent intelligence and analysis capability 24 

The current information-sharing environment is both overly complex and lacks 
robustness 25 In addition, the federal government has not yet defined a clear information¬ 
sharing environment path. In their recent report on infonnation and intelligence, the 
Markle foundation describes the federal effort as being “bogged down by gaps in 
leadership, policy articulation, turf wars, and struggles over competing...technologies. 
Indeed, our government seems to have lost its sense of the broader mission.” 26 

Another report, this from the U.S. House of Representatives, complains “despite 
numerous strategy pronouncements, memoranda of understanding, Executive Orders, 
reports, and promised guidelines for how to “do” information sharing, [federal 
policymakers] have come up short time and time again.” 27 

2. Information Sharing Environment 

Looked at broadly, through the federal legal definition, the Information-Sharing 
Environment is a program, under the Director of National Intelligence, initiated in 
accordance with the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004. 
It is intended to examine and construct the combination of policies, procedures, and 
technologies linking the resources (people, systems, databases, and information) of 


23 John A. Russack, “Preliminary Report on the Creation of the Information Sharing Environment” 
www.ise.gov/PreliminaryReport.pdf. Accessed September 13, 2006, 4-7. 

24 K. Jack Riley, Gregory F. Trevorton, Jeremy M. Wilson, Lois M. Davis, State and Local 
Intelligence in the War on Terrorism (Santa Monica, CA: RAND, 2005), 58. 

23 Russack, “Information Sharing,” 2. 

26 Zoe Baird and James Barksdale, “Mobilizing Information to Prevent Terrorism” (New York, NY: 
Markle Foundation, 2006), 1. 

27 U.S. House Committee on Homeland Security Democratic Staff, “Beyond Connecting the Dots: A 
VITAL Framework for Sharing Law Enforcement Intelligence Information,” 2005, 4. 
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Federal, State, local, and tribal entities and the private sector to facilitate terrorism 
information sharing, access, and collaboration among users to combat terrorism more 
effectively.” 28 

The Information Sharing Environment is also a vision for the revision and 
implementation of improved polices, cultures or technologies. While initially focused on 
terrorism, the environment can include all-crimes, and includes information from sources 
in intelligence, law enforcement, the military, homeland security, and potentially 
others. 29 

The federal Information Sharing Environment is a legal construct, but it also 
exists at the local and state levels, even if it is not always referred to as such. For the this 
thesis, the definition of the information sharing environment is the state and local system 
by which information and intelligence is collected, exchanged, analyzed and acted 
upon—frequently using a fusion center at its core. For a successful prevention exercise, 
this environment must be fully understood. 

One strategic role of the federal government is to help guide the process of 
intelligence development from seeking and sharing information and intelligence to 
building knowledge. See Figure 1. Ideally, an infonnation sharing environment should be 
“scalable...distributed, decentralized...so that infonnation flows do not depend on a 
central infonnation broker.” 30 


28 Information Sharing Environment, “Program Manager Information Sharing Environment,” 
http://www.ise.gov/. Accessed August 7, 2006. 

29 Russack, “Information Sharing,” 7. 

30 Baird and Barksdale, “Mobilizing Information,” 21. 
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Figure 2. Advanced Collaboration Cycle 31 


3. Intelligence-Oriented Exercises are Law Enforcement Centric 

Intelligence is not the sole purview of law enforcement. State and local 
enforcement may, however, be “uniquely positioned to augment federal intelligence 
capabilities by virtue of their presence in nearly every American community, their 
knowledge of local individuals and groups, and their use of intelligence to combat 
crime.” 32 Intelligence collection for traditional crime prevention and investigation, 
however, is not the same as that needed for terrorism prevention and investigation. 
Traditional criminal intelligence tends to be tactically oriented. Counterterrorism 
intelligence requires significantly more analysis.” 33 In addition, traditional criminal 
investigations usually follow a single path from the crime backwards to the suspect(s). 
Prevention oriented counterterrorism investigations must look forward at many paths—a 
much more difficult process of predictive analysis. 34 


31 LTG Peter A. Kind (Ret.) and J. Katherine Burton, Information Sharing and Collaboration Business 
Plan (Alexandria, VA: Institute for Defense Analysis, 2005), 8. 

32 Riley, et at, “State and Local Intelligence,” ix. 

33 Ibid., 38. 

34 Ibid., xv. 
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This fact, along with the reality that separate intelligence and investigation 
capabilities are not always the most effective path to prevention is leading to changes in 
the structure of the intelligence community. For example, the Federal Bureau of 
Investigation (FBI), through the establishment of Field Intelligence Groups, is working to 
combine its intelligence and investigative capabilities. 35 Some would argue that, similar 
to the structures found at the local and state levels, there should be a combining of the 
many federal enforcement and investigative agencies under one (or at least fewer) 
umbrellas. While this could be one route to better cooperation among stakeholders, it is 
not the current reality. 

The primary investigative and intelligence agency assigned to the terrorism 
prevention mission is the FBI, a law enforcement agency. The FBI has approximately 
100 Joint Terrorism Task Forces in operation in the U.S. 36 These task forces are intended 
to facilitate cooperation in the prevention of terrorism. 37 As stated earlier, one problem 
with the intelligence community and its processes is that they are overly complex. As an 
example, the FBI alone distributes information in at least nine ways: Weekly Intelligence 
Bulletins; the Director’s Briefing; Intelligence Information Reports; Intelligence 
Assessments; the Secure Video Teleconference System; Urgent Reports; Quarterly 
Terrorist Threat Assessments; email messages; and Terrorist Watch List. 38 

Regardless, the purpose of briefly examining the current system is to demonstrate 
that terrorism prevention is, and will likely remain, not law enforcement exclusive, but 
law enforcement centric. 


35 Suzel Spiller, “The FBI’s Field Intelligence Groups and Police: Joining Forces.” FBI Law 
Enforcement Bulletin (May 2006): 1. 

36 Riley et al., “State and Local Intelligence,” 3. 

37 Ibid., 15. 

38 Ibid., 41. 
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4. Intelligence Fusion Process 

One increasingly recommended path for improving terrorism prevention 
intelligence is through the creation and maintenance of intelligence fusion. Intelligence 
fusion is defined as the “overarching process of managing the flow of information and 
intelligence across levels and sectors of government.” 39 

To assist in this process, Fusion Center Guidelines have been jointly developed by 
the Departments of Justice and Homeland Security. The foundation of the Fusion Center 
Guidelines is the National Criminal Intelligence Sharing Plan (NCISP) The NCISP is the 
model or blueprint to follow when building an intelligence function in law enforcement 
and the Fusion Center Guidelines are intended specifically for the law enforcement 
intelligence component of fusion centers and fusion centers are designed to fight both 
traditional crime and terrorism. 40 

The data fusion process is intended to combine uncertain, incomplete data with 
the goal of improving the value of the information. 41 This ability allows a fusion center to 
identify terrorism-related leads from crime-related leads and other information sources. 
In other words, fusion centers focus on all-crimes 42 

5. Analyzing the Information Sharing Environment in Exercises 

The reason prevention exercises require an analysis of the state and local 
information sharing environment is that prevention exercises can be designed around this 
environment. It would serve no purpose to exercise the infonnation-sharing environment 
that agencies wished they had. The exercise must test and validate the actual 
environment. Of course, prevention exercises can also help determine if future changes 
are warranted. 

The Infonnation Sharing Environment Analysis (ISEA) is a process that serves to 
“identify the organizations, personnel, activities, programs, networks, and data that 


39 U.S. DHS, DOJ, “Fusion Center Guidelines,” 2. 

40 Ibid., 2-3. 

41 Ibid., 12. 

42 Ibid., 17. 
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comprise and support the local antiterrorism mission.” 43 The analysis will typically 
produce an ISEA flow chart (see Figure 3). The flow chart is a graphical depiction of the 
state and/or (depending on the scale of the exercise) local information-sharing 
environment. It should include participants in the environment, inputs, outputs, and the 
flow of infonnation and intelligence though internal and external formal networks. As 
information can also flow through an almost limitless number of infonnal networks and 
channels the analysis should seek to identify the most common ways these may occur 
within the local infonnation-sharing environment. 



Figure 3. Sample ISEA Flow Chart for a State Exercise 


The results of the information sharing environment analysis should be used to 
tailor exercise objectives, ensure systems are realistically tested, and aid in the 
development of exercise injects. 44 

One difficulty in exercising intelligence functions, particularly collection and 
analysis, is that those people responsible for these functions are typically aware they are 


43 U.S. DHS, Homeland Security Exercise and Evaluation Guidelines, 2. 

44 Ibid., 3. 
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participating in an exercise and may be hypersensitive to clues that would not otherwise 
attract attention. This tendency can invalidate the results of a prevention exercise. 

There are ways, at least partially, to mitigate some of these artificialities. One 
method is to conduct exercises in real-time. This might require that an exercise last for 
days, weeks, or even months, allowing the intelligence life cycle to play out as it 
naturally might. This timeframe may be impractical, not to mention expensive and 
potentially disruptive, for many agencies. Prevention exercises must not always be 
conducted full-scale but can focus on smaller, specific components of a system, which 
can allow them to be scaled to more achievable proportions. Another method to mitigate 
the problem of exercise-related anticipation and awareness is the use of white noise. 
Intelligence exercises typically employ the use of white noise, or erroneous information, 
unrelated to the threat, to force analysts to prioritize information and make connections 
found within large amounts of data and information. Finally, intelligence exercises can be 
conducted without notice. That is, intelligence collectors, investigators, and analysts do 
not have to be aware that an exercise is being conducted. Of course, the larger the 
exercise, the more difficult it is to conceal its existence and this may only work in smaller 
exercise scenarios. 

6. Conclusion 

Historically, the American public has viewed intelligence as a feature of foreign 
security and not something required within the continental United States. 45 For 
prevention at the local and state level, effective intelligence is the most critical 
component. Abuses of the past need not be forgotten but lessons learned incorporated 
into intelligence policies and procedures to ensure that public trust is maintained. 
Moreover, we cannot ignore that many past intelligence failures have resulted from over 
reliance on technology. The “human dimension is critically important for information 
sharing.” 46 Personalities and relationships can frequently bridge gaps communication 
links. There may be truth to the saying it is better to have a friend than a plan. 


45 Todd Masse, “Domestic Intelligence in the United Kingdom: applicability of the MI-5 Model to the 
United States” (Washington, D.C., Congressional Research Service, May 2003), 9. 

46 Baird and Barksdale, “Mobilizing Information,” 51. 
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C. RED TEAMING 

Unlike many traditional crimes, terrorism, by definition, is indiscriminate, and 
therefore, very nearly, unpredictable. Nevertheless, there are ways to anticipate 
reasonably likely attack scenarios and therefore train and exercise strategies to prevent 
them. One of the most effective, yet little used, strategies is red teaming. 

The deployment of a trained adversary provides an essential move-countermove 
element not available in response exercises. As it applies to homeland security, it 
involves thinking or acting like a terrorist in an effort, for example, to identify security 
weaknesses and potential targets. Red teaming can be accomplished through field-based 
physical operations or on an analytical level through discussions. Adversaries, as 
portrayed by red teams, should accurately represent whatever the most probable threat 
facing the jurisdiction. If it is not an accurate reflection, and the jurisdiction measures its 
capabilities against it, the jurisdiction stands the chance of developing a false sense of 
security, or worse yet, inappropriate counter-measures. 

The Department of Homeland Security has developed a program called the 
Universal Adversary (UA), to assist with this requirement. The UA essentially collects 
real-world threat group information and sanitizes it into usable materials in unclassified 
exercises for all levels of government. The UA also has the capability to manifest itself 
into the physical deployment of any of its threat group by way of a Red Team. 

Unfortunately, while red teaming can be a tool of significant value, it also carries 
with it the greatest amount of risk. For this reason, only trained, experienced, and 
disciplined professionals should be used as red team adversaries. This will help avoid 
both inaccurate portrayal of an adversary, and, more importantly, the potential for 
personal injury to exercise participants. 
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The National Strategy for Homeland Security states that “employing ‘red team’ 
techniques” is a major initiative within the intelligence and warning mission area... 47 
The Congressional Research Service, in its report. Border and Transportation Security: 
Possible New Directions and Policy Options, also recommends the expanded use of red 
teams. 48 

1. Definitions 

Red teaming is a relatively new term that describes a variety of exercise activities. 
The most basic level of red teaming, if it can be called that, is to conduct peer review of 
plans and policies to detect vulnerabilities or perhaps to simply offer alternative views of 
scenarios. 

There are a number of definitions of red teaming, each differing primarily in 
scope but otherwise similar in content. One definition is that red teaming is an iterative, 
interactive process conducted during crisis action planning to assess planning decisions, 
assumptions, processes, and products from the perspective of friendly, enemy, and 
outside organizations. 49 Red teaming has also been described as the “capability-based 
analytical or physical manifestation of an adversary, which serves as an opposing 
force...” 50 

Red teaming can be a form of risk assessment and mitigation, with the key 
difference that red teaming involves the presence of an adversarial condition. Red 
teaming is not intended to be used as an oversight function. For the purpose of this 
Chapter, red teaming refers to having the role of an active, thinking, and importantly, 
adaptive, opponent in an exercise. Adaptive opponents allow exercise participants to 
engage in both prevention and protection-related activities simultaneously. 

As indicated by the name, red teaming involves the use of teams, the most 
important of which is the red team itself. According to the Homeland Security Exercise 

47 Office of Homeland Security, National Strategy’, viii. 

48 Congressional Research Service, “Border and Transportation Security: Possible New Directions and 
Policy Options” (Washington, D.C.: March 2005), 19. 

49 Col Timothy G. Malone and Maj Reagan E. Schaupp, “The ‘Red Team’: Forging a Well-Conceived 
Contingency Plan,” Aerospace Power Journal XVI, no. 2 (Summer 2002). 

50 DHS, Homeland Security’ Exercise and Evaluation Program. 
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and Evaluation Program, a red team is a “group of subject matter experts with various 
appropriate disciplinary backgrounds, that provide an independent peer review of plans 
and processes, acts as a devil’s advocate, and knowledgably role-plays the enemy using a 
controlled, realistic, interactive, process during operations planning, training, and 
exercising.” 51 


Table 2. Typology of Activities with Embedded Red Team Approaches 
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Red teaming has long been used in the military. The Defense Science Board states 
that there are three types of counterforce training. Surrogate adversaries and competitors 
intended to sharpen blue team skills, expose vulnerabilities, increase understanding of 
options and response plans; devil’s advocates who provide critical analysis to critique 
plans and strategies, etc; and independent sources of judgment such as general advisory 
boards. 52 Red teams evaluate a target or tactic, but not the likelihood that a particular 
target will be attacked. Red team members are strategists who identify what to attack and 


51 DHS, Homeland Security Exercise and Evaluation Program. 

52 U.S. Department of Defense, Defense Science Board, “The Role and Status of DoD Red Teaming 
Activities” (Washington, D.C., September 2003). 
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domain experts who identify how. Non-military red teams should not be, however, solely 
target-focused. Red teams can also be used to engage and cause reaction to allow 
agencies to deploy systems such as the intelligence life cycle. 

Red teaming also involves other participants, each of which can be part of a team. 
Blue teams represent defenders at all levels. The role of the blue team is to think about 
how surprise attacks might occur, identify indicators and warnings of those attacks, 
collect intelligence on those indicators, and adopt defenses against the most likely 
possibilities or at least provide early warning. 53 Partners and neutral forces represent 
green team members. White team members frame, execute and evaluate the exercise, 
facilitate and mentor team members, and otherwise ensure the exercise continues. Using a 
nomenclature that color codes each team is optional for all participants except the red 
team itself. 

While there are potentially many levels of red teaming, two of the most common 
are physical red teaming and analytical red teaming. Physical red teaming involves 
individuals portraying actual, realistic, adversary moves and countermoves in an exercise. 
A physical red team embodies the selected adversary, acting according to the selected 
group’s motivations, capabilities, and intent. Physical red team operators plan, prepare, 
and leave signatures. Using a sliding level of realism, they act out and execute the steps 
dictated by known terrorist tactics, techniques, and procedures, and provide the means for 
the blue team players to interact with an adversary in an exercise setting. 54 

A second fonn of red teaming is referred to as analytical red teaming. The benefit 
of analytical red teaming is that it can be conducted by agencies possessing almost any 
level of capability, at a lower cost, over a shorter time, and with fewer personnel. Of 
course, using fewer personnel presents both positive and negative aspects since fewer 
participants also means that fewer people are trained. Analytic red teaming provides a 
potential adversary’s view of threats, vulnerabilities, and countenneasures. Without 
testing the physical limitations of antiterrorism measures, analytical red teaming can offer 


53 CRS, “Border and Transportation Security,” 19. 

54 DHS, Homeland Security Exercise and Evaluation Program, 6. 
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insight to challenge prevailing views, prevent surprise, allocate resources, and expand the 
bounds of imagination. Analytical red teaming can occur as part of a discussion-based 
exercise or as a stand-alone activity. 55 

Red teaming can be conducted on multiple levels and used in different types of 
exercises. Discussion-based and tabletop exercises, for example, may, in some cases, be 
preferable to field exercises, primarily due to these types of exercises being much simpler 
and less expensive to conduct. According to a report from Sandia National Laboratories, 
however, field red teaming has significant strengths when compared to simple analytic 
exercises and is “most likely a preferable approach.. .in some settings.” The report states 
that field-based games lend realism to the process, add real-world complexities and that 
red team dynamics add a joint sense of ownership to problems. 56 Ultimately, the type of 
exercises to conduct will be determined by costs, resource availability, knowledge, skills, 
and abilities of the participants, training culture of the organization, and the intended 
purpose of the exercises. 

2. Background of Red Teaming 

The value of any exercise rests on how realistically it is carried out. The Battle of 
Midway is a good example. On May 1, 1942, six months after Japan attacked Pearl 
Harbor, the Japanese Combined Fleet HQ conducted a four-day series of war games to 
test the operations planned for the upcoming Battle of Midway. War gaming and red 
teaming are functionally similar endeavors. Unfortunately for the Japanese, the war game 
had serious defects in both its approach and its methodology. 

First, game planners and controllers assumed that the Imperial Navy could 
execute all operations without difficulty. Much of this was due to the arbitrary 
interference of the Rear Admiral presiding over the game. He would countermand the 
ruling of game umpires whenever their determination adversely affected the Japanese 
side. 


55 DHS, Homeland Security Exercise and Evaluation Program, 14. 

56 Judy Whitley, John Moore, Rick Craft, Red Gaming in Support of the War on Terrorism: Sandia 
Red Game Report (Albuquerque, NM: Sandia National Laboratories, January 2004), 25. 
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Second, there was a serious lack of familiarity with the plan by the operational 
commanders responsible for the conduct of the game. 

Finally, many of the officers of the operational force were dissatisfied with many 
aspects of the plan, in particular the underestimation of the enemy capabilities. They did 
not voice their reservations, however. The problems that were identified and the 
underlying (and flawed) assumptions were never challenged. 57 

Though other factors, including poor luck by the Japanese and superior signals 
intelligence by the Americans, contributed to heavy losses by Japan (four aircraft carriers, 
three thousand sailors and strategic advantage in the Pacific), poor planning, training and 
exercising did nothing to improve their chance of success. 

Later in the war, the allies more effectively used exercising when they 
successfully war-gamed the deception plan for the invasion of Europe to ensure they 
could counter German attempts to discover the deception. 58 

More recently, the Nuclear Regulatory Commission conducted 81 red team 
exercises at nuclear power plants from 1991-2001. In 37 of those exercises, teams were 
successful in ‘attacking’ their target. This exposed serious security weaknesses and led to 
improvements. 

Currently, Sandia National Laboratories is doing extensive red teaming research, 
much of which is related to cyber threats, as red teaming is relatively common in the area 
of cyber-security. 

The U.S. Department of Defense views red teaming as a “valuable, but 
underutilized” exercise strategy. 59 Red teaming conducted by the U.S. Army in 1996, 
though, was less than successful. Opinions varied on their value as many of the exercises 
were apparently scripted only to validate existing operational concepts. The army has 


57 Defense Science Board, “Role and Status of DoD Red Teaming Activities,” 35. 

58 Colonel Gregory Fontenot, U.S. Army, Retired, “Seeing Red: Creating a Red-Team Capability for 
the Blue Force,” Military’ Review (September-October 2005): 6. 

59 Defense Science Board, “Role and Status of DoD Red Teaming Activities.” 
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typically used red teams in an ad hoc manner with no established doctrine or 
methodologies. Additionally, military red teams lack shared tactics, techniques, and 
procedures. 60 

This may soon change, however, as the U.S. Army, through their University of 
Foreign Military and Cultural Studies, is developing an education, training, and practical 
experience curriculum for red teams. The program hopes to publish a red teaming best 
practices handbook and consists of an eighteen-week course for red team leaders, six 
week course for red team members, and two week course for mentors and subject matter 
experts assigned to red teaming operational support. 61 

3. Benefits of Red Teaming 

The benefits of red teaming are many. Perhaps most importantly, successful red 
teaming offers a hedge against surprise and inexperience and a guard against 
complacency. It tests the fusion of policy, operations, and intelligence. It can be used to 
imitate attackers, other agencies, even Murphy’s Law. Red Teaming can yield a closely 
synchronized planning staff, drive more complete analysis, and deliver a better plan. Red 
teams can highlight deviations from doctrine, reveal overlooked opportunities, and 
determine how well an agency understands its own plans and procedures. It can also 
improve both contingency and deliberate planning. 62 

As one researcher has detennined, red teaming “provides a means to build 
intellectual constructs that replicate how the enemy thinks [because the constructs] rest 
on a deep intellectual understanding of his culture, [the] ideological (or religious) 
framework through which he interprets the world...and his possible and potential 
strategic and operational moves.” 63 This is important because carefully and accurately 
imitating the enemy (or whatever function is being tested) is what lessens the likelihood 
an agency will be caught by surprise and left unprepared. This requires that agencies 


60 Fontenot, “Seeing Red,” 6. 

61 Ibid. 

62 Malone and Schaupp, “Red Team,” 11. 

63 Williamson Murray, Red Teaming: Its Contributions to Past Military Effectiveness (McClean, VA: 
Hicks and Associates, September 2002), 58. 
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practice against threats that are specific to the geographical areas being tested. We can 
better prioritize prevention and response plans when we better understand the culture and 
objectives of potential attackers. 

Red teaming can increase opportunities by challenging aspects of plans, 
programs, and assumptions. It allows organizations to model missions, assets, and 
operating environments and to then assess these systems through the eyes of an enemy. 
Perhaps most importantly, it can assist organizations to prepare for the unexpected. 64 

In addition, effective red teaming can define a threshold of detection, suspicion, 
and action. It can and should cause blue team exercise players to recognize suspicious 
behavior, investigate networked resources, share information, and/or any number of other 
steps to prevent or deter a particular attack. Specific examples of these behaviors might 
include attempts to purchase weapons or pre-cursors for weapons and inquiries made to 
private sector security, law enforcement, or others regarding security measures or 
infrastructure vulnerabilities. Red teaming, however, should not include potentially 
dangerous activities such as driving erratically, physical threats, or foot and vehicle 
chases. 65 

Finally, Fontenot argues that red teaming can reduce risk, perturb a stagnant 
organization, avoid predictability, overcome bias, and improve flexibility and response. 
At the macro level, red teaming expands problem definitions, challenges assumptions, 
and provides an independent view of vulnerabilities; it also provides a better 
understanding of potential enemies, can identify the secondary and tertiary effects of 
plans, and can reveal opportunities and provide alternative courses of action 66 

4. Impediments to Effective Red Teaming 

Unfortunately, in addition to the benefits, there are also numerous possible 
impediments to conducting effective and helpful red teaming. Culpepper classifies 
impediments into situational and organizational. Situational impediments include the 


64 DoD Defense Science Board, “Role and Status of DoD Red Teaming Activities,” 14. 

65 DHS, Homeland Security Exercise and Evaluation Program, 51. 

66 Fontenot, “Seeing Red,” 5. 
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chosen scenarios, the selection and training of members and the conditions. 
Organizational impediments depend on the organization and include red team interactions 
with the blue team, organizationally imposed constraints and the interpretation, 
distribution and reception of the resultant lessons learned. 67 

The Defense Science Board has compiled an even more detailed and thorough 
inventory of what makes for successful, and unsuccessful, red teaming. Among the more 
common reasons for failure include red teams not given enough latitude, not approaching 
the task with gravitas or conversely, not being taken seriously by the organization, not 
accurately capturing the culture of potential adversaries, and team members of poor 
quality or lacking in adequate training. The board identified elements of effective red 
teaming that address some of the reasons for failure. In addition, they add that red team 
success requires an organizational culture that values constructive criticism and provides 
top cover for exercise participants, meaning independence with accountability and 
accepting and acting upon red team recommendations. 68 Fontenot adds that organizations 
should value intellectual preparation as seriously as physical preparation. 69 This is 
perhaps the most important factor in conducting successful red teaming. 

Another hindrance is that organizations may not want to share infonnation and 
thereby limit not only the ability to effectively carry out the exercises but also the 
usefulness of lessons learned. Furthermore, if red team play is overly scripted, it can limit 
the training value by taking the realism out of what should be a realistic exercise. 
Conversely, play that lacks sufficient scripting can lead to unexpected and undesired 
outcomes, make assessment more difficult, and increase safety risks. 

Finally, there have been demonstrated historical difficulties in creating and 
sustaining red teaming and therefore, based on this experience, it is possible that new red 
teaming initiatives will not provide expected values. 


67 Anna M. Culpepper, “Effectiveness of Using Red Teams to Identify Maritime Security 
Vulnerabilities to Terrorist Attack” (Master's Thesis, Naval Postgraduate School, Monterey, CA, 2004), 11. 

68 DoD Defense Science Board, “Role and Status of DoD Red Teaming Activities,” 6. 

69 Fontenot, “Seeing Red,” 6. 
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5. Methodology for Using Red Teaming in Exercises 

There are a number of steps involved in the development of red team exercises. 
The hosting or lead organization must detennine the objectives and/or desired results 
which may include: liaison with governmental and/or private partners, detennine the 
scale and type of exercise, the type of scenario, the method of evaluation and the 
documentation plan, develop the scenario, identify and train the appropriate participants, 
conduct and evaluate the exercise, prepare thorough documentation, evaluate the 
performance, develop the improvement plan, make required and desired improvements, 
and finally, exercise again. This basic outline applies to virtually all exercises, not just 
red teaming, and many of the steps are intuitive. However as it may be more expedient, 
less costly or simply reduce the potential for embarrassment, some organizations may 
choose to omit steps in the process. This is not recommended. 

Addressing red teaming specifically, Malone, et al. have developed a detailed 
checklist for red team exercise preparation: 

1. Establish Secure Locations Away from Distractions 

a. Privacy, secure network, maps and overlays (generally open- 
source), and office supplies 

2. Gather Necessary Reading Material and Data 

a. Appropriate policies, directives and other orders, general guidance, 
message traffic (intelligence reports, etc.), relevant briefing 
documents produced in the planning process, relevant publications, 
organizational charts, location studies, etc. 

3. Prepare to Role-Play the Enemy and Other Adversaries 

a. Review location studies, study enemy doctrine and capabilities, 
determine enemy’s probable actions, study the political 
environment 

4. Understand the Overall Situation and Blue Planning Process 

a. Review assessments, orders, messages, and other products, identify 
blue team assumptions, etc. 70 

This checklist, however, particularly bullet point 4, “Understand the Overall 
Situation and Blue Planning Process,” may be more appropriate for military red teams. 

70 Malone and Schaupp, “Red Team,” 5. 
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For example, adversaries (whether real world or red team) would not typically have 
access to governmental or private sector assessments, assumptions, messages, etc. This 
type of information should only be available to red teams if it would be available to real 
world adversaries. Also not mentioned by Malone, but supremely important, is the 
integration of effective and redundant safety measures. 

A red team exercise should be an action-reaction-counteraction game prompting 
move and countermove analysis. Red team operations should affect the actions of the 
blue team (in other words, be realistic but noticeable), potentially affect other red team 
actions (e.g., a change of plans), and provide data and information that will stress the 
system and drive exercise play. 71 Real value can be obtained by using red teams at 
varying suspicion thresholds. For example, a team can be activated and conduct 
operations in the least suspicious manner possible, presenting few indicators and 
warnings on which blue teams can react. If they are not discovered, continue to send 
them in, each time increasing some level of suspicious behavior until the prevention 
system engages. This allows the threat detection system to be tested and evaluated more 
precisely ensuring specific training needs are identified. 

To generate new ideas, red team members should be subject matter experts and 
represent a balance between skilled permanent staff and shorter-term transient members. 
The key is there should be a variety of opinions and ideas. The risk in not using people 
fully trained in red team operations or not fully understanding the mind of the adversary 
is that an agency could end up developing a false sense of security or devising 
inappropriate countenneasures based on unrealistic threats. The resources available to the 
organization will be a factor. 


71 U.S. Department of Homeland Security, Prevention Exercise Training Course: Participant 
Plandbook (Washington, D.C., March 2006), Module 4. 
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Figure 4. Red Team Participant Interactions 


The red team scenario should be a general outline, not a detailed script and should 
be based on historical threats or known current threats. An example scenario outline 
might include an adversary profde, objective, target, weapon, location, and timeline. 
Furthermore, as mentioned earlier, red teams should only have access to information that 
real-world adversaries could access. In Figure 4 above, the vertical dotted lines represent 
information firewalls or filters. To drive exercise play, information must flow between 
the red and blue teams, just as it would in the real world. For example, red teams may 
observe (and adapt to) increased security at an intended target. The red team typically 
would not, however, have additional information about the cause of the increased security 
unless interactive play between the teams has allowed the information to be obtained. In 
short, the firewalls or filters are designed to ensure that information possessed by red and 
blue teams is as realistic as possible. 

Creating the adversary scenario is dependent on knowledge of the adversary 
otherwise, the scenario may not reflect real world threats. Choosing a plausible adversary 
for a specific geographic location, however, can be sensitive if it is too closely based on 
actual threats. To avoid the need to use or release actual threat information, organizations 
can use a predetennined ‘universal adversary’ (UA), as developed by the U.S. 
Department of Homeland Security for use in replicating actual terrorist adversaries. The 
most important aspects of the universal adversary to consider for an exercise are 
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ideology, motivation, tactics, capability, and objectives. A shorter variation of these 
adversary aspects still includes academic, ideology, and operations (tactics, techniques, 
and procedures). The universal adversary data enables exercise players to simulate 
intelligence gathering and analysis and ensure realistic representation of the hazards 
posed to the personnel, procedures, and/or target being exercised. Local or regional 
intelligence background infonnation can serve as the foundation for the selection of the 
universal adversary and its target(s). 72 

Red team members can use targeting infonnation developed internally by the 
exercise planning team or, alternatively, may use information collection methodologies 
that the chosen adversary might use including the internet, other publicly available 
records, surveillance and planted insiders. 73 

As stated earlier, there are two general types of red team exercises, physical and 
analytical. In physical red team exercises, the red team operationally portrays adversaries 
in the field. To minimize the risks inherent with this type of exercise, red teaming must 
always keep safety as the foremost consideration. Without adequate safety measures there 
can be no exercise. Accidents, in addition to causing harm to our most valuable resource, 
our personnel, can lead to negative perception of exercise play and players, and cause 
leaders to reconsider the value of red team exercising. Red teaming does involve 
increased risks, however, and organizations need to make informed decisions. 

Physical red teaming requires careful planning and safe execution. To abet this, 
exercise documentation should include a red team handbook. The handbook is a 
collection of all red team documentation. The purpose of the handbook is to aid in 
conducting safe activities and assist red team controllers in understanding their roles and 
responsibilities. The handbook should include a profile of the adversary, the type of 
threat posed by the adversary, rules of exercise play, operational safety requirements, 


72 DHS, Homeland Security Exercise and Evaluation Program, 11. 

73 Ibid., 13. 
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detailed scenario information, description of each red team operation, target infonnation, 
communications plan, contact information, red team members unique identification and 
credentialing. 74 

Safety can be achieved by establishing clear and consistent rules of exercise play, 
ensuring red team members are properly selected, adequately supervised, have unique 
identification and sufficient training. The rules of exercise play should define the 
boundaries of exercise play and include guidance on the use of force, weapons, in and out 
of bounds areas, personal safety, hazardous environments, and others. 75 Other rules 
should include no real weapons; red team actions conducted within the law, and, in a 
prevention-oriented exercise, the final attack should not be simulated. Additionally, all 
props must be safe, levels of force set at pre-defined levels, protective equipment 
sufficient for the scenario and type of exercise, exercise sites are checked for hazards, 
warning signs are posted, where appropriate, and first aid is available. 76 

Red team safety controllers should be able to observe and monitor red team 
operators and operations without interfering or drawing unnecessary attention to their 
presence. Finally, every action of the red team should be observed by at least one 
evaluator. 77 

Analytical red teams portray an adversary but do not involve actual field play. 
Analytical red teaming adds value to simple discussion-based exercises and can range 
from basic peer review to near-real-time (notional) force on force interaction, as in games 
or simulations. 78 

Generally, analytical red team participants' need not all be subject matter experts 
but must have a strong working knowledge of their organizations plans, policies, and 
procedures. However, at least one red team expert should participate and have an 


74 DHS, Homeland Security Exercise and Evaluation Program, 32. 

75 Ibid., Appendix B. 

76 Lynch, “Developing a Scenario-Based Training Program,” 7. 

77 DHS, Homeland Security Exercise and Evaluation Program , 4. 

78 DHS, Prevention Exercise Training Course, Module 4. 
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operational, academic, and most importantly ideological understanding of the portrayed 
adversary. The red team expert should help develop the scenario and adversary profile 
and assist with facilitation and team member indoctrination in the chosen adversaries 
ideology, motivation, capability, objective, and tactics. 

During analytical red teaming, participants analyze the attack plans and look for 
indicators and warnings, key decision points, and vulnerabilities in the plan. Participants 
should assess whether their current plans, policies and procedures would be able to 
successfully repel an attack and, if not, work to modify and improve plans, policies and 
procedures to enable them a better opportunity for success. 

6. Limitations of Red Teaming 

While past behavior might be the best predictor of future behavior, it will not 
necessarily identify a future, never before seen, method of attack. There will never be 
enough information to predict all possible means of attack. Typically, red team exercises 
are based on prior events and are less likely to anticipate new, unplanned or never before 
seen events. In addition, attackers may look at whole systems, or multiple targets and it is 
not possible to exercise every area. 79 “Red teaming will not prevent surprises. But, [it] 
can prepare...organizations to deal with surprise. In particular, it can create the mental 
framework that is prepared for the unexpected.” 80 

Red teaming is difficult to do and even more difficult to do well. Nor is red 
teaming a perfect or foolproof method of improving prevention capabilities. Red teaming 
is also not well suited to developing solutions to problems so much as raise issues and 
explore potential responses that can be explored in more detail. 81 Even the Defense 
Science Board’s extensive research could not find agreed upon red team capabilities, 
functions, or means to ensure quality. Finally, there will always be some things that are 
tainted or influenced in some way by the fact that the red teams are not really attackers, 
but simply doing their best to mimic potential attackers. 

79 Toby Eckert, “U.S. 'Red Teams' Think Like Terrorists to Test Security,” San Diego Union-Tribune, 
August 20, 2002. 

80 Culpepper, “Effectiveness of Using Red Teams,” 59. 

81 Richard Brennan, “Protecting the Homeland” (Arlington, VA: RAND, 2002), viii. 
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One researcher has concluded, “Where red teams existed in active and vigorous 
forms... organizations have almost invariably out-performed their opponents...” 82 If done 
correctly, red teaming is realistic, near real world, training. Unlike traditional response 
operations, which begin after attackers have succeeded, prevention operations must begin 
before and during the planning stages of an attack. Red teaming may be one of the few 
reasonably effective methods to exercise those prevention tactics. As the Homeland 
Security Institute has said, “Red teaming must be advanced in order to aid in the 
understanding and anticipation of the adaptive and complex nature of the adversary.” 83 

Attackers will adapt to our plans and our responses. We must also continually 
adapt and improve. Plans and procedures need to be stressed and once stressed, must 
evolve and improve. Progress does not need to be dramatic; it can be a series of 
incremental improvements over time. The key is that strategic, operational, and tactical 
planning and exercising is an iterative and evolving process. 

D. THE ATTACK TREE 

Attack trees are sometimes referred to as threat trees and are similar in structure to 
the fault trees used in system safety analysis and other areas. Bruce Schneier, a computer 
security expert, first introduced the concept in 1999. An attack tree is a graphical 
collection of boxes (nodes) laid out in a hierarchical fashion. They are designed to 
analyze possible attacks in a structured and systematic way and are intended to model the 
human decision process. A reasonably complete attack tree would illustrate all of the 
potential paths that an attacker could take to achieve a certain goal. For example, in an 
exercise, this might be an improvised explosive device (IED) attack. Each step required 
of or available to the attacker is modeled including decision points in the planning, 


82 Williamson Murray, “Thoughts on Red Teaming” (McClean, VA: Hicks and Associates, May 
2003), 2. 

83 Shelley Kirkpatrick, PhD, Shelley Asher, Catherine Bott, “Staying One Step Ahead: Advancing Red 
Teaming Methodologies through Innovation” (Arlington, VA: Homeland Security Institute, 2005), 1. 
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preparation and attack phases, though in a prevention exercise, this would not include the 
attack itself. In essence, an attack tree shows a path through an exercise highlighting the 
various available steps, options, and decision-points of an adversary. 84 

While attack trees are a relatively new concept, they are well known in the area of 
cyber security. For example, American Electric Power, one of the largest electric utilities 
in the United States uses attack tree modeling to evaluate cyber and physical security 
risks. 85 One use of fault-tree based modeling is in Model Based Vulnerability Analysis or 
MBVA. MBVA is a form of analysis that combines network, fault, event, and risk 
analysis into a single methodology for conducting analysis on critical infrastructure 
vulnerabilities. 86 

1. Benefits of Attack Trees 

Classic threat and vulnerability assessments are conducted annually or when 
required to generate or maintain funding. With a computerized attack tree model, 
information is li nk ed and as one part of the model is updated, related parts are updated. 
Furthermore, models can be used to test procedures and processes for effectiveness in 
advance, without having to devote large numbers of resources each time. Scientific 
models are more advanced and detailed than simple, probabilistic, models, which 
generally tend to involve a greater degree of randomness. Though a model cannot 
substitute for an actual, physical test, it is a quick, cost-effective way to test selected 
system components and to determine what may or may not require further, more detailed, 
testing. 

Typically, security systems are built on expert opinion and not on scientific 
evidence. They are formed over time as reactions to perceived weaknesses or attacks. 


84 U.S. Department of Homeland Security, “Homeland Security Exercise and Evaluation Guidelines 
Volume V, Chapter One, Prevention and Deterrence Exercises, draft” (Washington, D.C., 2006). 15. 

85 North American Electric Reliability Council, “Risk-Assessment Methodologies for Use in the 
Electric Utility Industry” (Princeton, New Jersey, September 2005), 526. 

86 Professor Ted Lewis, “Module 5 Learning Objectives ,” Center for Homeland Defense and Security, 
Naval Postgraduate School, https://www.chds.us/courses/mod/rcsource/vicw.php7KH364/ (Accessed July 
16,2006). 
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Interestingly, models are frequently used as an analysis tool—except in security. 87 
Models are designed to forecast or predict what might happen based on certain ‘what-if 
scenarios. Additionally, they are useful to illustrate complex information in a more 
comprehensible manner. This is a benefit to practitioners. A thorough, well-designed, 
attack tree provides profiles that can characterize a broad range of attacks and is a tool to 
assist with the automation of threat analysis. 88 It can be especially effective in assessing 
risks from intelligent adversaries. 89 

Attack tree models can be modified, reused, and shared among individuals or 
organizations that have similar needs. This is important because complex attack trees can 
require significant investments in time and energy and are not simply built, but built 
upon. A multifaceted tree can be added to or improved upon by any number of people. 
They can be built over time by different people from many different disciplines. They can 
model dynamic changes such as new attackers, methods, motives, or resources. Attack 
trees can include other information such as costs, values, time, and impacts in tenns of 
time or costs, physical or legal risks assumed by attackers, etc. 90 This ability allows it to 
be a potentially potent tool during prevention exercises. The information in the attack tree 
allows exercise planners to “develop plausible scenarios and master scenario events list 
(MSEL) injects, minimize artificialities, and portray accurate timelines, all of which are 
essential elements of an effective prevention and deterrence exercise.” 91 

2. Constructing an Attack Tree 

The first step in constructing an attack tree is to identify possible attack goals and 
plot each goal on a separate tree. Each possible attack is then deconstructed into all the 
steps it would take to make it happen. Each step in the process becomes a node on the 


87 Amenaza Technologies Limited, “Creating Secure Systems through Attack Tree Modeling.” 
www.amenaza.com/downloads/docs/5StepAttackTree_WP.pdf. Accessed September 20, 2006. 

88 Siouke Mauw, Martijn Oostdijk, “ Foundations of Attack Trees ” (Netherlands, Eindhoven University 
of Technology, 2005), 1. 

89 Amenaza Technologies Limited, “ Creating Secure Systems through Attack Tree Modeling .” 
www.amenaza.com/downloads/docs/5StepAttackTree_WP.pdf. Accessed September 20, 2006. 

90 Robert J. Ellison, “ Attack Trees ” (Pittsburgh, PA, Carnegie Mellon University, September 2005), 2. 

91 U.S. Department of Homeland Security, “Homeland Security’ Exercise and Evaluation Guidelines 
Volume V, Chapter One, Prevention and Deterrence Exercises, draft ” (Washington, D.C., 2006). 15. 
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attack tree. Attacks are modeled as paths from a leaf node (lower level box) up to the root 
node (top-most box). The steps of the attack, represented by nodes, can be given either a 
binary value (yes/no, possible/impossible, etc), or they can be assigned specific values. 
Instead of, for example, the nodes yes or no, they could represent the probability or 
likelihood that particular step will be used. This would allow for more precise analysis 
but, of course, is dependant on the accuracy and availability of the infonnation. 

Through an examination of the adversary’s options displayed by the attack tree, 
planners can detennine which of their capabilities they want to test in an exercise 
including systems, processes, personnel, policies, and procedures. Of course, any changes 
made to these same systems, processes, etc, may require the attack tree also be changed 
or updated. An excerpt from an attack tree is shown in Figure 5. 



46 














An attack tree can be based on historical and anticipated attack data. 92 As a tree is 
built, new methods or previously unconsidered paths of attack may present themselves 
thereby making the construction of an attack tree a prevention tool for both newer, 
imaginative attacks and real-world prevention activities. 

Attack trees are typically represented graphically though they can be either 
graphical or textual. A graphical illustration is based on a tree structure. A textual 
illustration usually follows a numeric outline. 93 The benefit of a textual outline style of 
attack tree is that it may flow more logically when viewing very long or complex attack 
patterns 94 

An attack tree can highlight possible paths of attack, but it can also assist by 
eliminating unlikely paths. For example, if an attack costs more to produce that the 
expected benefit, it can be reasonably assumed that it is unlikely (or at least less likely) to 
take place. Conversely, the higher the reward (meaning the greater destructive value of a 
target) compared to the cost (whether financial, logistical, human, or other), the greater 
the motivation. Attacks that require more resources than an attacker is known or 
presumed to have are not considered. 

Looking at an attack tree, it may appear intuitive that weaknesses or 
vulnerabilities higher in the tree (closer to the root goal) should be mitigated first. This 
may sometimes be true, and while this may make sense in some cases, changes in one 
node may have implications for continued operations elsewhere. 

Attack tree construction takes practice and an analytical, detail-oriented mind— 
even if constructing with the aid of attack tree software. Moreover, attack tree 
construction and analysis is better informed if planners represent a variety of disciplines, 
e.g., fire, health, etc. Having a variety of disciplines is most helpful when those 


92 Andrew Ellison, Robert J. Moore, Richard C. Linger, “Attack Modeling for Information Security 
Survivability ” (Pittsburgh, PA, Carnegie Mellon University, March 2001), 20. 

93 Michael S. Pallos, “Attack Trees: It's Jungle Out There ” (Beverly Hills, CA, The Business Forum, 
2003), 2. 

94 Bruce Schneier, “ Attack Trees” http://www.schneier.com/paper-attacktrees-ddj-ft.html.Accessed 
September 13, 2006. 
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disciplines are in a position to take some type of action during specific phases of the 
attack planning. 

In an exercise, it may be easier to construct an attack tree if it is focused solely on 
the planned prevention exercise scenario rather than all possible means of attack. In an 
exercise attack tree, the actual path of attack, as detennined by planners, is called the 
critical path. 

3. The Critical Path 

The planned critical path is the adversary’s path through the exercise. From the 
prevention, or blue team, perspective, the critical path is a graphical roadmap of 
opportunities that are available to prevent the attack precursors shown in the attack tree. 
During an exercise, both attack and prevention activities can be plotted on the attack tree. 
This allows for evaluation of prevention activities that were useful in countering or 
changing attack strategies. The planned critical path can be compared to the resultant 
exercise critical path and any deviations noted. These deviations may represent where 
prevention actions were successful in pushing an adversary off their planned attack path 
and therefore may be indicators of successful prevention. This does not necessarily 
signify that where an adversary is forced to change tactics or strategies due to some 
intervention, that the actual attack has been prevented. Forcing an attacker to deviate 
from some point of their planned attack path may simply mean that the attacker has been 
forced to adjust to the deviation and, absent further preventative measures, returns to their 
planned strategies further up the attack tree or elsewhere on the threat continuum. 

That said, in a prevention exercise, success should not be solely measured by the 
complete prevention of an attack and the apprehension of all attackers. Any prevention 
activity that forces attackers to change strategies or delays or diverts an attack is a partial 
success and should be analyzed for lessons learned that may be applicable to real world 
plans and procedures. 95 More importantly, though, is the identification of tactics or 
strategies that more or less pennanently impair an attacker’s ability to conduct specific 
attacks. 

95 U.S. Department of Homeland Security, “Homeland Security Exercise and Evaluation Guidelines 
Volume V, Chapter One, Prevention and Deterrence Exercises, draft ” (Washington, D.C., 2006). 8. 
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Figure 6. An Attack Tree Flows Upward from Intent to Attack 96 

4. Limits of Attack Tree Modeling 

No model, regardless how complex, is able to fully mirror the vast and almost 
limitless array of possible human thoughts and behaviors. Attack trees are no different. If 
overly simplified they are unlikely to accurately represent the various potential attack 
paths. If overly complex, they may or may not be effective in analyzing complex security 
problems. Moreover, to make them robust requires an extensive knowledge of attackers 
and their past and potential strategies. As terrorist events are rare, this information may 
be hard to obtain. Therefore, as knowledge about attack strategies, methods, or other 
details may not be perfectly known, some information must be assumed. 


96 U.S. Department of Homeland Security, “Homeland Security Exercise and Evaluation Guidelines 
Volume V, Chapter One, Prevention and Deterrence Exercises, draff (Washington, D.C., 2006). 
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As each tree is a model, it can be adjusted and fine-tuned as more and better 
information and intelligence becomes available. Excluding the very simplest of attacks, 
they are never necessarily complete. 

As explained earlier, each attack goal must be put on a separate attack tree. This 
can lead to many differing trees. However, attacks may be consolidated into attack 
classes where the methods and resources used by an attacker would be similar. This 
allows for a reduced number of trees. 

Attacks may or may not be a single event. They may consist of a series of 
sequential or concurrent, related events. Attack trees may not be as effective for these 
types of events. Furthermore, unexpected interactions in attack or prevention planning 
may cause failure in unanticipated areas. Future attacks might be focused on these 
interactions rather than on single point vulnerabilities. 97 Attack tree modeling is not a 
model for all security but a single tool to model specific attacks. They tend to focus on 
individual component failure and generally cannot account for human or organizational 
failures. 98 

Security is only as strong as its weakest links; fortunately, adversaries do not 
typically know what the weakest links are. In many cases, neither do we. Predicting 
human behavior is an extremely complex problem—attack trees offer a scientific 
approach to this problem. Security is a process, not a product. Attack trees form the basis 
of understanding that process 99 The attack tree serves as a roadmap or guide to the 
options, actions, and decisions involved in carrying out a terrorist attack. 

E. BEHAVIORAL ANALYSIS 

Behavior surveillance in analysis and screening is a technique designed to detect 
potential threats through observation of behaviors, mannerisms, and interviews. It is 
based on factors, other than race, that may cause an elevated or reasonable suspicion. 
Behavioral analysis is based on the theory that “a person engaged in deception or in an 

97 Robert J. Ellison. “ Attack Trees ” (Pittsburgh, PA, Carnegie Mellon University, September 2005), 4. 

98 Nancy Leveson, “A New Accident Model for Engineering Safer Systems” (Cambridge, MA, 
Massachusetts Institute of Technology, April 2004), 27. 

99 Schneier, “ Attack Trees ”, 3. 
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act in which the person fears being discovered will suffer mental stress, fear, or anxiety 
that is manifested through involuntary physical and physiological reactions that serve to 
dissipate the stress, fear, or anxiety.” 100 Behavioral surveillance looks for behaviors that 
may be more common to terrorists and other criminals but is just one of many tools that 
may be used in exercises to identify these behaviors. 

1. Limitations of Using Technology in Exercises 

There are many new and interesting technologies in development that, over time, 
should enhance society’s ability to identify potential threats. Many systems, in use or in 
development, are based on biometric identification. Some examples include facial 
recognition, iris and retinal scans, hand geometry, voice recognition, gate (walking) 
analysis, and DNA identification. Other new tools include Radio Frequency Identification 
(RFID) Systems, Automatic License Plate Recognition (ALPR) Systems, and others. 

Automated License Plate Recognition systems are an interesting, and relatively 
more mature, example. License plate recognition was developed in the United Kingdom 
in the early 1980’s largely as a response to repeated IRA bombings. In 1993, the 
technology was adapted for more routine law enforcement purposes, principally auto 
theft reduction. The technology has evolved to the point that, while not intended to 
replace the observation skills of law enforcement officers, a long-term goal of the United 
Kingdom’s Home Office is to fully transition the technology into a mainstream tool of 
policing. A major step in that direction is taking place now as a nationwide system of 
over 2,000 fixed-mount cameras is currently being deployed in Britain. This follows the 
installation of mobile license plate recognition systems in all forty-three police forces 
throughout England. 

Fingerprinting is the oldest and most common identification system. In fact, the 
largest biometric database in the world is the FBI’s Integrated Automated Fingerprint 
Identification System (IAFIS) with over 47 million subjects classified. This sizable 
database is possible because the first systematic use of fingerprint in the United States 
began in 1902. It is the only biometric identification system that has been in wide use for 

100 Jim Metzger, “Behavior Oriented Screening System ” (Philadelphia, PA, SEPTA Transit Police, 
2005), 78. 
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more than the last 10 or 15 years. 101 Furthermore, NCIC 2000, a national database of 
criminal justice records, allows police patrol officers to both send and receive data from 
the field with laptop computers, portable fingerprint scanners, and digital cameras. 102 

Yet another part of the NCIC 2000 network is the Violent Gang and Terrorist 
Organization File (VGTOF). This database is designed to assist law enforcement with the 
identification of gang and terrorist organizations and their members. 103 Of course, names 
must already be known and then run through these watch lists and databases for them to 
be of use. The repeated failures of the intelligence community to watch-list two 9/11 
conspirators, al-Mihdhar and al-Hazmi, were seen as “crucial lost opportunities” by a 
congressional Joint Inquiry. 104 

Many of these technologies can be used in exercises to assess authorities’ ability 
to detect and apprehend potential threats. Most of them, however, whether those in 
extensive use, like fingerprints, or in development, like many of the others, are designed 
to identify known subjects. They are far less useful when the goal is to detect, deter, or 
prevent any possible threat from succeeding. Finally, these technologies continue to be 
developed and improved, tend to be too expensive for most agencies to deploy in 
significant numbers, and are not always accepted by populations apprehensive about 
technology that enhances surveillance and detection, therefore, their value during 
exercises may be limited, at least for the near future. 

2. Behavioral Indicators and Warnings 

Many of the above technological advances may still be years away from 
widespread use but they can offer some degree of prevention potential. Even so, we 
should use caution when placing too much reliance on technology. As the 9/11 


101 Federal Bureau of Investigation, “Integrated Automated Fingerprint Identification System or 
IAFIS http://www.fbi.gov/hq/cjisd/iafis.htm. Accessed July 11, 2006. 

102 William J. Krouse, “Terrorist Identification, Screening, and Tracking under Homeland Security 
Presidential Directive 6,” (Washington, D.C., Congressional Research Service, 2004), 31. 

103 Indiana Data and Communications System, “IDACS 2000 Full Operator's Lesson Plan ” 
(Indianapolis, January 2004), 204. 

104 U.S. Congress, “Joint Inquiry into Intelligence Community Activities Before and After the Terrorist 
Attacks of September 11, 2001 ” (Washington, D.C., December 2002), 148. 
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Commission Report noted when investigating the September 11 th terrorist attacks, 
“...virtually all information regarding possible domestic threats came from human 
sources.” 105 

One type of human intelligence is behavioral recognition, analysis, and screening. 
A number of agencies have identified common behavioral indicators that may warrant 
further investigation by law enforcement officers. For the purposes of this section, the 
referenced indicators are behavioral, and not the same as those indicators and warnings 
listed in the Department of Homeland Security’s Target Capabilities List, which refers to 
the recognition of indicators, and warnings that are found in gathered intelligence reports 
and data. 

The observation of behavioral indicators is a form of street-level intelligence, 
which requires authorities (or whomever is involved in the exercise) to be observant for 
potentially significant behaviors. These behaviors may indicate that an individual 
presents a threat or is at least suspicious enough to warrant further investigation, 
however, they offer no guarantee of success. They are merely indicators that should cause 
observers to focus their attentions more closely and may perhaps increase the odds of 
successful prevention or intervention. 

Traditionally, police officers wait for intelligence. To be preventative, however, 
authorities must actively seek information and intelligence, and actively search for 
persons who may be suspicious—not simply respond to calls of suspicious persons or 
circumstances. 106 Police officers should seek to assess threats that may not rise to a level 
of suspicion that police would traditionally use to justify arrest or detention. Police 
officers are and should be willing to talk to individuals that warrant further inquiry but 
may be reluctant to make contact with people unless they meet the reasonable suspicion 
standard. For the most part, this is how police officers are trained. Not every contact by 
law enforcement requires that this standard be met, however. For example, voluntary 
interviews can be useful tools and do not require reasonable suspicion, much less 

105 National Commission on Terrorist Attacks upon the United States, “T/re 9/11 Commission Report ” 
(Washington, D.C., 2004), 535. 

106 Metzger, “Behavioral Screening, ” 7. 
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probable cause, before police officers can initiate them. The U.S. Supreme Court, in 
Florida V. Bostick, ruled that the “4 th Amendment permits police officers to approach 
individuals at random in.. .public places to ask them questions and to request consent to 
search...so long as a reasonable person would understand that he or she could refuse to 
cooperate.” In other words, law enforcement officers are permitted to ask questions and 
request identification without making a “seizure,” as defined by the Fourth Amendment. 

Behavioral analysis focuses specifically on just that—behaviors. Basing proactive 
investigation on race or ethnic appearance is not a reliable, or legal, indicator of terrorist 
or other criminal behavior. For example, Spc. Ryan Anderson (a Caucasian male and a 
member of the U.S. National Guard in Ft. Lewis, Washington) was charged with 
attempting to provide intelligence to Al-Qaeda in 2004. John Walker Lindh, the 
‘American Taliban, was a Caucasian male. Jose Padilla a Hispanic male. Jaradat Hanadi, 
involved in a 2003 suicide bombing in Israel, was a female. There are no fixed profiles of 
terrorists and therefore, behaviors are much better prevention tools than race or 
ethnicity. 107 

Behavioral analysis is not a foolproof method of detection—nothing is. There are, 
however, examples of behavioral analysis successful use. Once case involved a U.S. 
Immigration Inspector named Jose Melendez-Perez. A month before 9/11, based on 
suspicious behaviors, Melendez-Perez turned away Muhammed A1 Kahtani, who was 
believed to be the planned ‘20 th hijacker.’ On the same day, at the same airport, 
Mohamed Atta was allowed into the country by another screener despite paperwork 
showing evidence of fraud. 108 

There is no single, accepted, analysis model, as behavioral analysis is an inexact 
and evolving science. One reasonably well developed example is the Behavioral Oriented 
Screening System developed by Lt. Jim Metzger for the SEPTA Transit Police 
Department in Pennsylvania. This system uses a ‘Terrorist Characteristic Template’ 


107 Metzger, Behavioral Screening, 69. 
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developed by U.S. military intelligence officers based on analysis of characteristics of 
130 persons engaged in radical Islamic Jihad terrorist attacks or who had been arrested on 
terrorism charges. 109 

Another example was developed by New Mexico Tech for their class Prevention 
and Response to Suicide Bombing Incidents (See Appendix A). They have identified the 
nine stages of an attack. Accompanying the nine stages are pre-attack indicators for each 
stage and potential intelligence collection and/or enforcement actions that may help to 
identify and prevent a potential attack. The stages with the most likely use in a prevention 
exercise are those that include “potential law enforcement collections actions.” New 
Mexico Tech’s nine stages is just one behavioral analysis tool that can be used during 
prevention-oriented exercises. 

Unfortunately, while this type of information is frequently marked sensitive 
and/or for limited distribution, much of it can be found on the internet. For example, the 
FBI’s Terrorism Quick Reference Card, which lists pre-incident indicators, can be found 
on the websites of the New Jersey Self Storage Association, U.S. Attorney for Hawaii, 
and many others. 110 While it is important for individuals to be aware of potential 
common indicators, publication of them also provides potential threats the ability to 
adjust and adapt their behaviors based on kn own or established behavioral profiles. 
Unlike some criminals, terrorists are an evolving adversary, but they are not perfect. 
There are most likely going to be some repeating and perhaps necessary steps to carrying 
out attacks. For example, in looking at recent events, there is a trend towards attacking 
soft targets, particularly transit (e.g., Madrid in 2004, London in 2005, and Bombay in 
2006). It would seem reasonable that transit security professionals focus on the most 
common characteristics, at least as much as they can be discerned, and use those 
characteristics in their security planning, training, and exercising. 

Behavioral analysis is a proven, albeit imperfect, prevention tool. In the absence 
of effective and widespread technology, and even then, it can be a valuable and low cost 

109 Metzger, Behavioral Screening, 52. 

110 See http://www.njssa.org/2004%20winter.pdf and 
http://www.usdoj.gov/usao/hi/atac/terrorisminformation.pdf for two examples. Accessed July 13, 2006. 
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method of prevention. It has the added benefit of potentially applying to a wide range of 
other criminal behaviors and can be incorporated into training and exercise programs. 

F. PRIVATE SECTOR SECURITY 

“Private sector preparedness is not a luxury; it is a cost of doing business in the 
post 9/11 world. It is ignored at a tremendous potential cost in lives, money, and national 
security.” So said the 9/11 Commission Report in 2004. 111 The importance of 
incorporating the private sector into homeland security strategic planning, training and 
exercising activities is widely recognized and even formalized in many national strategies 
and directives including Homeland Security Presidential Directive (HSPD) 7, HSPD 9, 
the National Preparedness Standard on Disaster/Emergency Management and Business 
Continuity, the National Strategy for the Physical Protection of Critical Infrastructure 
and Key Assets, the Intelligence Reform and Terrorism Protection Act of 2004, the 
National Response Plan, the National Incident Management System and the National 
Strategy for Homeland Security. 

Unfortunately, this mandate, if it can be called that, appears to be not well 
understood nor widely followed. Statements suggesting the integration of the private 
sector into prevention, preparedness, mitigation, response and recovery planning can be 
widely found throughout homeland security literature. Clarity on how this can be 
accomplished, however, particularly in the area of prevention, is less common. Moreover, 
where information does exist on merging the prevention efforts of the public and private 
sectors, specific examples of sustained, successful, and equal collaboration are even 
harder to find. For example, one Lessons Learned Information Sharing (LLIS) “Best 
Practice” on public-private partnerships in training states, “Public-private partnerships 
can enhance emergency prevention... efforts through cross-sector... training, and 
interdependency exercises.” However further into the report, under the section on 
conducting those same joint exercises, the report drops prevention and states only 
“public-private partnerships can exercise established response and recovery plans and 


*'' National Commission on Terrorist Attacks upon the United States, “The 9/11 Commission Reporf’ 
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procedures.” 112 In another Lessons Learned Information Sharing (LLIS) report, public- 
private partnerships in emergency preparedness are identified as a best practice, but the 
report provides only general infonnation and guidelines on building and supporting these 
partnerships. 113 This paucity of specific examples also applies to private security. 
Unfortunately, little research, particularly when compared to the research devoted to 
public law enforcement, has been conducted on private sector security. 

This section will not attempt to review the private sector in its entirety, but will 
specifically address the state of private sector security. It will examine the role of private 
security and the benefits of collaboration to both the public and private sectors. It will 
review the various problems that have, to date, constrained most efforts at integration into 
homeland security exercises and will conclude by offering several possible solutions. 

Prior to 1844, when New York City started the first local governmental police 
force in the United States, private security was the sole provider of policing services in 
the United States. During the Civil War, the original Pinkerton detective agency, working 
for the Union Army, investigated counterfeiting cases and was given responsibility for 
security and counterintelligence in Washington, D.C. Pinkerton was the first organization 
to use rap sheets and mug shots. 114 

Determining the number of private security officers in the past is difficult. By 
1970, however, the number of private security officers in the nation was estimated to be 
approximately equal to the number of police officers. Current estimates of private 
security vary significantly but the difference is generally estimated at between two and 
three times that of governmental law enforcement. The following table is from the 
Congressional Research Service. 115 


112 Lessons Learned Information Sharing, “Public-private Partnerships for Emergency Preparedness: 
Education, Training, and Technical Assistance http://www.LLIS.gov/. Accessed May 3, 2006. 
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Table 3. Private Security Officers in the United States 



Private 

Facilities 

Government 

Facilities 

Airports 

(Screeners) 

Total 

Contract 

531,000 

2,000 

533,000 

Staff 

351,000 

85,000 

53,000 

489,000 

Total 

967,000 

55,000 

1,022,000 


Another estimate from the U.S. Bureau of Labor Statistics states that 
approximately 12,000 firms employ over one million private security officers, however, 
this estimate does not include ‘in-house’ security such as private investigation, private 
corrections, and others, which would add hundreds of thousands more to the estimate. 
Even these numbers are not necessarily definitive, however. Yet another report from the 
IACP and the USDOJ COPS office put the numbers closer to 90,000 private security 
firms and two million private security officers. 116 Interestingly, while the number of 
private security officers fell 124,000 between 1999 and 2003, from 2004 to 2014, U.S. 
private security officer employment is forecasted to grow from between nine and 
seventeen percent. 117 The earlier decrease is unexplained but may have been due to the 
economic recession in the U.S. following 9/11. Finally, perhaps the comprehensive and 
authoritative reports on private sector security are volumes I and II of the government- 
sponsored, Hallcrest reports. Unfortunately, the more recent volume II is now sixteen 
years old. One of the more current works on the state of private security is the ASIS 
Foundation Security Report: Scope and Emerging Trends released in 2005. 

Private sector security and public law enforcement have similar goals, but also, 
different approaches and vastly different spheres of influence. 118 Though authority can 
and does vary by jurisdiction, generally, private security has similar authority to that of 
ordinary private citizens. 119 Listing the duties of private security, a Congressional 

116 IACP/COPS, “Private Security/Public Policing, Vital Issues and Policy Recommendations ” 
(Alexandria, VA, 2005), 2. 

117 U.S. Bureau of Labor Statistics, Occupational Outlook Handbook, 2006-07 Edition (Washington, 
D.C.: Government Printing Office, 2004). 

118 IACP/COPS, “VitalIssues,” 1. 
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Research Report stated that these duties include “protecting people and property from 
accidents and crime...monitor, patrol and inspect property to protect against...illegal 
activity...enforce laws...conduct incident interviews, prepare incident reports, and 
provide legal testimony...use radios to call for assistance...[and be] armed, as required 
by specific duty assignments.” 120 While these responsibilities do not differ greatly from 
that of governmental law enforcement, there are, of course, distinctions in the roles of 
public and private security. Traditionally, the government has taken primary responsibly 
for intelligence gathering and other prevention efforts, (i.e., counter-terrorism) while the 
private sector has assumed responsibility for reducing their own risks and vulnerabilities, 
(i.e., anti-terrorism), or in simpler terms, the outside versus the inside. It is debatable 
whether these historical, and artificial, distinctions provide the nation with the greatest 
preventative benefit. 

Some private security firms have assumed traditionally governmental roles. Firms 
have been hired to police communities, run prisons, and conduct traffic control. 
Additionally, private security has access to many resources including investigators, 
biometric readers, bomb detection equipment, and vehicle barriers. 

Private security, while assuming additional responsibilities, has also assumed 
more risk. In August 2004, The U.S. Department of Homeland Security (DHS) issued a 
terror alert for financial institutions in three cities, New York, Washington, DC, and 
Newark, NJ. Reports stated that terrorist surveillance included the location, weaponry, 
and activity of private security officers at those institutions. 121 

There is no reason for private sector security to wait for an event to happen, to be, 
trained, exercised, and therefore prepared only for that eventuality. In fact, the major 
responsibility of a security officer is prevention before an incident/offense occurs. 122 
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1. Benefits of Collaboration 

Ideally, true collaboration would lead to benefits for both law enforcement and 
private security. While any specific effort may result in more or less benefit, to be 
successful, interested parties need to believe they are getting at least something close to 
what they are putting in. In other words, a cost-benefit analysis would demonstrate that 
the partnership is providing value to the agency and/or company. 

Considering the potential resources, in addition to the sheer number of people 
available in the private sector, the benefits to the public sector would seem apparent. In 
addition to assisting public sector agencies with emergencies after the fact, private 
security can also assist with providing low or no cost training and sharing equipment and 
office space. Private security can assist with identifying and locating evidence in criminal 
investigations, (e.g., witness statements, records, etc.). In New York City, certain private 
security officers search for and lift fingerprints. They have also assisted in compiling an 
inventory of CCTV camera locations to assist follow-up unit investigators. Private 
security can assist with the collection and analysis of information and intelligence. 
Private security also employs specialists in various areas including CCTV, physical and 
facility security, computer security, biometric identification, and others. These efforts can 
have a positive effect not only on terrorism, but also other types of crime, and may serve 
to reduce calls for service and duplication of efforts. In this, private security appears to 
want to be an active partner. According to former ASIS International Chainnan Regis 
Becker, “As an industry, we are prepared and willing to play a greater role in crime 
control...” 123 Sharing the burden of anti-terrorism and counterterrorism with the private 
sector not only frees up resources in the public sector, it also makes those efforts more 
comprehensive and effective. 

There are benefits to private security as well. Increasing collaboration with the 
public sector, in addition to helping to develop and improve personal and professional 
relationships, can assist the private sector in receiving more frequent and detailed threat 
information as well as information about developing patterns and trends that might effect 

123 Christopher John Hetherington, “Private Security as an Essential Component of Homeland 
Security” (master's thesis, Naval Postgraduate School, Monterey, CA, 2004), 15. 
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individual businesses. It can assist in developing strategies for the protection of vital 
records. Collaboration would also help law enforcement better understand the corporate 
needs of private security. Public sector law enforcement, like private security, also has 
areas of expertise that can be shared. For example, police agencies have skilled 
interviewers, investigators, and crime analysis and crime prevention specialists. Joint 
operations, training, and exercises, can reduce workplace violence and improve employee 
safety. This increased training can help to maintain customer and shareholder confidence 
in the professionalism and capabilities of a company’s security force. Over the long term, 
improved relationships would allow for the sharing of research and best practices, even 
the tracking of legislation of interest to public and private security. 

Unfortunately, many of the current collaboration efforts, even where successful, 
are not done at both the managements and street levels. Additionally, many programs 
tend to be police-driven. 124 While there are clearly benefits to both law enforcement and 
private security, ultimately, the nation as a whole benefits from effective, 
institutionalized, public-private collaboration. 

2. Problems in the Private Sector 

Private security officers have been referred to as real first responders or 
sometimes, ‘first preventers.’ On 9/11, many police officers and firefighters lost their 
lives but less well known is that some three-dozen private security officers were also 
killed. 125 The value of public/private partnerships does not appear to be in dispute. 
Unfortunately, there are many difficulties restricting and inhibiting the ability of the 
public and private sectors in working more closely, and many of these problems rest with 
the private sector. 

One significant, and perhaps justified, fear from both the private and public 
sectors is in the area of sharing infonnation. Law enforcement officials may fear 
information sharing with companies that are foreign owned, (e.g., the two largest private 
security companies operating in the U.S. are both owned by firms located outside of the 

124 Bureau of Justice Assistance, U.S. Department of Justice, “Operation Cooperation: Partnership 
Profiles ,” (Washington, D.C., 1999), 27. 
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U.S.). Additionally, there may be legal restrictions on the sharing of certain types of 
information, particularly as it relates to the sources of information and methods used to 
obtain it. Sources and methods, however, are not commonly shared by the federal 
government with local and state law enforcement either and even when that type of 
information is shared, it is greatly restricted. In any event, information itself, not sources 
and methods, is typically what is most important. 

Companies reporting crimes may fear that criminal investigators may need to 
seize company assets as part of their investigation. They may fear that information shared 
with law enforcement may become part of the public record or that sensitive information 
may get into the hands of competitors. 

Private sector groups frequently share information about suspicious activity and 
other threats with industry peers and the federal government through various networks 
including the critical infrastructure ISACs. That same information is not always shared 
with state and local public safety partners. 126 In fact, information is not always shared 
from private security management to the private security officers on the ground. 
According to a 2004 survey, private sector security directors in Manhattan were reluctant 
to share sensitive information with subordinates due to a lack of trust. 127 

Most private security officers work under one of two employment structures— 
private security companies who hire out services under contract and private security 
officers working directly for employees as part of regular staff. Either private security 
structure may be used at private or public faculties. Within these structures, private 
security is not always a unified function. It may be part of other services including 
parking and others. In addition, approximately 14% of all private security officers, and 
more in the contract realm than the staff employee realm, are part-time employees. 128 A 


126 Lessons Learned Information Sharing, “ Public-private Partnerships For Emergency 
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significant portion of these part-time employees are off-duty law enforcement officers. 129 
Additionally, in one recent report, turnover was estimated at between 100 and 300 
percent 130 

Like law enforcement, private security does not always work well with each 
other. They generally do not train in mutual aid and frequently lack communications 
interoperability. 131 
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Private security officers are poorly paid in absolute terms and in terms relative to 
public employees. The graph in Figure 7 illustrates the problem. 132 

In addition to being counterproductive when trying to increase standards and 
training, this disparity also tends to increase the working separation between the public 
and private separation, as the occupations do not see themselves as equals. If private 
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Figure 7. Average Annual Salaries for U.S. Occupations, 2003 
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security officer standards are increased, pay will increase and in an industry where 
contracts are awarded to the lowest bidder, there is frequently opposition to these types of 
reforms. Security costs money; it does not generate income. 

In emergency response exercises, and even more so in prevention exercises, law 
enforcement, fire and other governmental agencies are typically involved while private 
security is frequently not included. 133 

There are many potential causes for this but one of the most significant is the lack 
of standards and sufficient training in the private security world. The graph in Figure 8 
illustrates the amount of basic security training required of private security officers by 
state. 134 Thirty-one states do not require any kind of private security officer training. 135 


69 



Europo (Avfl at AK CA. FL. OK ND NY IL LA. VA MN. OR AZ. CT. GA. AR MC. NV. SC. TX 29 Othor States 

15 countrios) UT TN.WA 


Figure 8. Hours of Security Guard Training Required by States, 2004 

Much of the training counted in Figure 9 is limited to property rights, emergency 
procedures, and criminal detention. Even this lowly amount of training, however, may be 
overstated. A 2005 report from the public advocate of New York City found that many 
security officers reported receiving less training that even the small amount required by 
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the state. Some reported having no training of any kind. Even more alanning, many cases 
were uncovered where private security Finns employed unlicensed security officers, 
many who had committed crimes in other states or whose fingerprints were never sent in 
to be checked, as required. Half of the 868 companies audited were refened for 
disciplinary action. 136 

This lack of training is not uncommon. In a 2002 survey, over one fifth of private 
security officers in California, Texas and Florida reported they had received no training 
of any kind either pre-or post hire. This occurred despite state laws mandating certain 
minimum training standards. 137 

This poor record on training also applies to the use of drills and exercises. In the 
2002 California survey, only 52% of private security employers had conducted 
emergency drills and just 33% had conducted bomb-threat drills. Another survey in 2004, 
this one of hazardous chemical storage facilities, found in the preceding 12 months, 68% 
had provided emergency response training. 59% had conducted response drills, and 38% 
had improved training and procedures to “prevent possible terrorist attacks.” What was 
also discovered was that over one-half of the private security officers in the three-state 
survey had never participated in an emergency drill of any kind. 138 Encouragingly, the 
recent ASIS Foundation Report noted that over half of ASIS Security Services companies 
believed that cross training of personnel with law enforcement is either moderately or 
very important. Over eighty percent believed that education regarding security and police 
roles is important. 139 
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Private security officers may be armed or unarmed but most commonly are 
unarmed. Companies may not see a business need for security to have improved 
weaponry and protective equipment, or there may be a fear of the increased liability 
associated with armed security officers. With training and education standards so low and 
inconsistent, there may be some validity to this viewpoint. However similar fears were 
one of the reasons the U.S. Marines assigned to barracks security in Lebanon in 1984 
were unarmed and therefore unable to stop the suicide bombing attack that killed 241 
soldiers. Legitimate reasons may exist for security to be unarmed, but lack of training and 
the resultant fear of liability should not be among them as lack of training is a problem 
readily identified and easily remedied. 

Arming private security officers, or even providing better training, will not always 
provide better prevention because not all threats are guardable. Moreover, increasing the 
number of human guards (whether police or private security) does not always equate to 
increased security at a given site and in some cases, might even cause a facility to be less 
secure. For example, no amount of human security on the ground would stop an attack 
from the air. 140 Additionally, larger numbers of security officers, particularly if they are 
not properly screened, leads to greater access which would increase the opportunity for 
infiltrators or other less than trustworthy private security forces to inculcate themselves 
into a given location or operation. 

3. Solutions to Problems in Private Sector Security 

On the most basic level, there are issues of trust between the sectors. One reason 
for this distrust is the lack of screening among private security employers. The National 
Strategy for Homeland Security states, “Time-efficient, through and period back 
screening.. .is an important tool for protecting against ‘insider threat.” 141 The Intelligence 
Reform and Terrorism Prevention Act of2004 allows for criminal background checks of 
private security officers every twelve months but also allows for states to opt-out of this 
requirement. Furthennore, there is no widely accepted certification process or national 
standards for private security officers. Considering the wide variety of security officer 
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roles and duties, however, a national standard may be too broad. For example, there is 
also no single national standard for law enforcement, though regulation at the state level 
and the impact of case law has created a de-facto, albeit non-uniform, standard. 

The National Strategy states, “there is an urgent need for ongoing training of 
security personnel...” 142 The largest private security association in the world, ASIS 
International, has proposed minimal selection and training standards for use by regulating 
bodies and companies. 143 ASIS recommends that security officers receive 48 hours of 
training within their first 100 days of employment. In addition, their guidelines 
recommend that training topics include information sharing and crime prevention. The 
ASIS foundation report found that the only condition that law enforcement survey 
respondents not rated as good or very good was the training received by private sector 
security. 144 

A number of private security responsibilities can be exercised. Some of these 
prevention type activities include access-control, screening, intrusion detection, general 
monitoring of suspicious activity and the safeguarding of information, (e.g., blueprints, 
security schedules and routines, sensitive information, etc). While each area relates to 
general prevention, much of it is also facility or location specific. 

Police departments regularly meet with local community members including 
business associations but tend not to meet with private security officials in any systematic 
way. 145 A summit of public law enforcement and private security leaders indicated that 
only 5-10% of law enforcement chief executives had partnerships with private sector 
security. 146 This can change if both public and private stakeholders identify clear benefits 
for each. Law enforcement administrators tend to spend time putting out fires and 
focusing on those who make the most noise. Working more closely with the private 
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sector would require strategic planning and on-going commitment. It can be done. In 
Israel, for example, there is a “profound amount of intelligence sharing between the 
private security officers...and the police.” 147 

The New York City police department has created the Area Police Private 
Security Liaison (APPL) program. This program allows information to be shared with 
private security and includes liaisons with specific private security organizations 
including hotels, jewelers, retail, contract security, and others. Modeled after APPL, the 
Nassau County New York Police Department has created the Security Police Information 
Network (SPIN), a voluntary infonnation-sharing network that includes both vetted and 
non-vetted members of the private sector. Vetted members require background checks 
and include members associated with corporate security, critical infrastructure, hospitals, 
schools, and others. Non-vetted members include those associated with chambers of 
commerce, civic associations, etc. To prevent overload, a well-designed network would 
send out information only to those in the network who should receive it. The SPIN also 
allows for members of private security to feed back into the information-sharing 
network. 148 Another good example of information sharing can be found in the Critical 
Infrastructure Information Sharing and Analysis Centers (ISAC). ISAC’s are private 
sector organizations designed to gather, analyze, and disseminate information about their 
respective critical infrastructure sectors. There are, unfortunately, many impediments to 
better infonnation sharing between the public and private sectors. It may not be realistic 
for these to be addressed in any thorough and systematic way, though, until the many 
difficulties with information sharing within government are first addressed. 
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Some other positive examples exist. In New York City, the police department 
conducts threat assessments on private properties on request. Their assessment team will 
produce a written report, which will include security suggestions. This serves to reduce 
risk and is, therefore, a form of prevention. 149 

In England, the City of London Police have developed a program called Project 
Griffin which entails training private security in, among other things, terrorism planning 
and emergency services command and control. Griffin also has a “bridge call” plan, 
which allows the sharing of threat and crime trend information with security managers. 
Finally, Griffin allows for the deployment of security officers working alongside police 
officers on cordon control in major incidents. 150 

4. Conclusion 

While it may be counter to current thinking, and though there are undoubtedly 
exceptions, private sector security does not appear ready for full and complete 
incorporation into public sector training and exercise programs. This conclusion is 
reached not due to a lack of desire or from bias; but it is apparent that private sector 
security needs to make significant structural changes to its profession. While a uniform 
national private security officer standard may or may not be necessary or even the most 
efficient manner to regulate private security officers nationwide, the social benefit of 
increased preparedness in the private sector may outweigh the private sector costs 
associated with the tasks required to accomplish it. Unfortunately, to this point, the 
private sector has appeared to invest relatively little additional capital in increased 
security. 151 

The business community has not yet created an adequate foundation for 
prevention. This foundation would allow for the training and exercising of private sector 
prevention efforts. For example, in a report on private sector crisis preparedness written 
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by the Business Roundtable, in a section on smart practices, the only type of exercise 
listed is evacuation. The report also briefly mentions that the private sector should review 
lessons learned from governmental exercises and real-world events. Interestingly, the 
report includes a list from the Department of Homeland Security on what should be done 
at various threat levels, and many of these recommendations include the testing of plans 
and procedures, but there appears to be little information about how to conduct those 
tests. 152 

Compounding the problem, there appears to be little desire on the part of 
government to address the shortcomings. A 2006 Colorado review addressing the need 
for state regulation of private security concluded that “the potential for hann is almost 
intuitive” but that since they did not have examples of actual hann they conclude that 
“the absence of regulation [of private security officers and companies] has not harmed 
[and based on this logic, apparently cannot and will not harm] Colorado citizens.” The 
report states that increasing professionalism in the [private security] industry is 
“imelevant to public protection.” From these seemingly contradictory opinions, the state 
of Colorado has concluded that regulation of private security is not justified. In fact, their 
analysis concluded that regulation (consisting of licensing, training, and background 
checks) for private security would be an unnecessary barrier to entry. 153 The authors 
apparently believe that the current lack of meaningful entry requirements provides 
sufficient protection. 

At the federal level, a bill introduced in 2004 called the “Private Sector 
Preparedness Act of 2004” would have amended the Homeland Security Act of 2002 to 
direct the Department of Homeland Security to “develop and implement a program to 
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enhance private sector preparedness for emergencies and disasters, including acts of 
terrorism.” The bill would not have applied to staff private security officers and did not 
include a prevention component. It never became law. 154 

The private sector security industry is marked by low pay, few benefits, little, if 
any training, few, if any, standards, high turnover, and almost no governmental oversight. 
Nearly anyone walking down the street can be hired, given a uniform, badge, and keys to 
a building, and are then trusted with security. This is security in name only. The full 
inclusion of private sector security into homeland security prevention exercises would not 
be without risk. Most encouragingly is that the largest professional private security 
organizations, including ASIS International, recognize the need for increased training and 
heightened standards and are working towards that goal. 

Clearly, many tools exist that can and will be useful in the area of prevention, and 
many, if not most, of these, can also be tested through the exercise process. Focusing on 
all-crimes and using behavioral analysis are tools that can and should be used both in the 
real world, and in prevention exercise scenarios. Private sector security can be 
incorporated into exercises, provided there is understanding of the risks and limitations 
inherent in doing so. Information Sharing Environment Analysis, Red Teaming, and 
Attack Trees are relatively new tools, however, the Department of Homeland Security in 
its Terrorism Exercise Prevention Program is piloting their use. Additionally, intelligence 
exercises are not uncommon. 

Furthermore, the TOPOFF series of national exercises is increasingly 
incorporating intelligence and prevention into its design. The following section describes 
several exercises that involved varying levels of intelligence and other prevention 
components. 
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III. PREVENTION EXERCISE EXAMPLES 


As stated earlier, prevention measures have been incorporated, to varying degrees, 
into homeland security exercises. While examples are still few, it is apparent that it can 
be done. Following are several examples of recent prevention exercises or exercises with 
prevention components. 

A. NEW YORK STATE PILOT PREVENTION EXERCISE 

The New York State Pilot Prevention and Deterrence Exercise was conducted 
June 1-23, 2005 in New York State. The exercise, conducted by the New York State 
Police, New York Office of Homeland Security, Upstate New York Regional Intelligence 
Center, FBI, DHS Office for Domestic Preparedness, and many local law enforcement 
agencies statewide, had the potential to reach over 200 organizations including ten 
private sector organizations. 155 New York State hosted the exercise as they have made 
significant progress in creating a workable intelligence fusion center and was keenly 
interested in exercising their capabilities. The purpose of the 23-day exercise was to 
evaluate processes to recognize, collect, analyze, and disseminate criminal information 
and intelligence. 

The objectives of the exercise were to assess capabilities in three prevention- 
related competencies from the Target Capabilities List: Information Collection and 
Threat Recognition, including the ability to identify indicators and warning signs; 
Intelligence Fusion and Analysis, including the ability to glean relevant intelligence 
encompassed in ‘white noise’; and, Information Sharing and Collaboration, including the 
ability to communicate both vertically and horizontally. 156 

The exercise was unclassified and largely unscripted, and was based on realistic 
threats to the Nation and the New York State area. There was no media play. The 23 day 
exercise timeline was a compression of 365 days of exercise-related intelligence and 
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information. The scenario involved two primary targets, three alternate targets, potential 
improvised explosive devices (IED), damage to critical infrastructure, and mass 
casualties. See Figure 9 for the exercise organization. 



Figure 9. UNYRIC Exercise Organization 157 


The exercise involved significant red team play and included two red teams 
consisting of nine members in separate cells. The scope of the red team actions included 
efforts to obtain fraudulent ID, conduct reconnaissance, surveillance and mapping of 
potential targets, and obtain materials needed for attacks. The red teams were allowed to 
change plans, evade detection, and complete their preparations. 158 
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For the exercise, the red teams were prohibited from interacting with senior 
elected or appointed officials, minors, geographic areas outside the designated areas of 
play, and any sites not specifically allowed for red team play. 159 

As part of the after-action review process, exercise planners learned of the 
importance of closely synchronizing red team play with Master Scenario Events List 
(MSEL) injects. Additionally, the prevention exercise timeline was not fully understood 
by all players and required more detailed briefings and training. The exercise plan also 
called for intelligence to be front-loaded, however, participants believed it would have 
been preferable if intelligence had been injected continuously rather than on pre-selected 
days. Finally, it was determined that expected player actions and possible contingency 
injects (particularly those related to red team play) should be scripted in the MSEL to 
ensure that exercise play flows properly and that controllers and evaluators have 
benchmarks with which to work. 160 

B. L.A. COUNTY TERRORISM EARLY WARNING EXERCISE 161 

This multi-agency, discussion based, group tabletop, prevention and deterrence 
exercise, was conducted on June 21, 2005 in Montebello, California. The exercise was 
the third in a series of exercises conducted as part of Los Angeles County’s 2005 
Chimera exercise program. Los Angeles County’s three-year exercise goals are as 
follows: 

• Prevent acts of terrorism 

• Reduce Los Angeles County’s vulnerability 

• Minimize damage from attacks 

Los Angeles County conducts it’s exercise program in accordance with the 
Department of Homeland Security’s Homeland Security Exercise and Evaluation 
Program (HSEEP) guidelines. The County’s exercise strategy is built on a series of 

159 U.S. Department of Homeland Security, “New York Prevention and Deterrence Pilot Functional 
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workshops and tabletop exercises, moving to multi-discipline functional exercises and 
concluding with a full-scale exercise. The Chimera Exercise series consisted of 36 
progressive exercises based on a terrorist biological attack scenario, specifically, an 
aerosolized anthrax release. 

The Chimera prevention and deterrence exercise was hosted by the Los Angeles 
Terrorism Early Warning Group (TEW). The Los Angeles County TEW is comprised of 
representatives from police, fire, health, and emergency management and has primary 
responsibility for prevention and deterrence related tasks in the Los Angeles County area. 



Figure 10. Foundational TEW Organization 162 


The exercise lasted four hours and included participants from the Los Angeles 
Terrorism Early Warning Group (TEW), Los Angeles County Departments of Health, 
Emergency Medical Services, Fire, and Sheriff, the Los Angeles Fire Department, Long 
Beach Departments of Health and Fire, Pasadena Health and the Federal Bureau of 
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Investigation. There were a total of 33 players, one observer, and 12 
controller/evaluator/facilitators. Health Departments represented 44% of the total 
exercise participants. 

The TEW exercise was specifically designed to enhance participant understanding 
of the TEW concept and operations. The exercise objectives, taken from the Target 
Capabilities List, were to: 

• Identify procedures for determining indicators & warnings, increasing 
surveillance, exploiting real-time intelligence resources dealing with 
suspicious outbreak of disease, and 

• Identify procedures for sharing intelligence information 

Exercise participants were given an overview of the TEW Epidemiological 
Intelligence Cell, which consist of five components: active/syndromic surveillance, 
passive surveillance, psychological threat assessment, human intelligence, and open 
source intelligence. Participants were also given information on the TEW Bio Terrorism 
Playbook. The Playbook is a guideline for the TEW’s response in an actual event. The 
purpose of the Playbook is to provide essential information and recommended courses of 
action. The prevention (pre-release) element of the exercise lasted approximately one 
hour. This demonstrates that prevention exercises can be of short or long duration. 

C. TOP OFFICIALS (TOPOFF) EXERCISE SERIES 

TOPOFF is a congressionally mandated, biennial, exercise program, which 
conducts a functional exercise in the first year and a full-scale exercise in the second 
year, with continuity provided by a series of seminars. The TOPOFF exercise series is the 
cornerstone of the National Exercise Program. While TOPOFF is not specifically 
oriented towards prevention and deterrence, over time, these exercises have increasingly 
incorporated intelligence and prevention actions into the scenarios. TOPOFF 2000, the 
first in the series, did not include a prevention component but is included here for 
accuracy and completeness in describing the evolution of prevention in the TOPOFF 
exercise series. 

1. TOPOFF 2000 

TOPOFF 2000 was conducted from May 17-23 in 2000 at a cost of about 3.5 
million dollars. The exercise was hosted by two localities, Denver, which exercised a bio- 
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terrorism (Pneumonic Plague) release, and Portsmouth, Hew Hampshire, which exercised 
a chemical (Sulfur Mustard) attack. The exercises involved approximately 6000 
participants and were co-chaired by the Department of Justice and the Federal Emergency 
Management Agency. There was no international component and only limited play by the 
medical community. The exercise did not have a prevention and deterrence component 
and was designed to assess the nation’s crisis and consequence management 
capability. 163 

TOPOFF 2000 was mandated and advertised to be a “no-notice” event and the 
actual scenario was unclassified, but restricted. The “dates, times and content of the 
exercise, however, were known to many outside the planning group well in advance of 
the exercise.” 164 Additionally, The TOPOFF 2000 After-Action Report stated, “logistical 
and scheduling considerations for a no-notice national exercise are exceptionally 
challenging [and]...the no-notice requirement should be reconsidered.” 165 One difficulty 
with the information being so readily available was that not all participants treated the 
information as private. The After-Action Report also stated, “some agencies came to the 
exercise with choreographed responses knowing exactly what the exercise was going to 
require from them.” 166 

The scenario involved a member of a fictional terrorist group being arrested in 
London, causing the [terrorist group’s] original attack timetable to be moved forward. 167 
This information was used to enable the exercise scenario to move forward with a 
realistic foundation, not necessarily for the specific use of participants during the 
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exercise. According to the FBI, “pre-exercise simulated intelligence was 
satisfactory...Agents collected the necessary infonnation and did not need extensive pre¬ 
event background infonnation.” 168 

One of the FBI’s exercise objectives in TOPOFF 2000 was “collecting, analyzing, 
prioritizing, and dissemination intelligence...at the on-site locations and at the national 
level.” 169 In addition, the FBI was to “conduct threat assessments and pre-event 
intelligence for jurisdictions.” 170 Intelligence information during the exercise was 
intended primarily to locate and apprehend the involved suspects, and not to prevent an 
attack from occurring. This was consistent with the exercise design and objectives. 

There were many, candid, after-action comments by participants. Perhaps the 
most interesting was that TOPOFF 2000 did not have sufficient participation by top 
officials. 171 

2. TOPOFF 2 

TOPOFF 2 (T2) was the second in the congressionally mandated TOPOFF 
exercise series and was conducted the week of May 12-16, 2003. The full-scale portion of 
the exercise involved approximately 8500 participants and was the largest peacetime 
exercise (up to that time), ever sponsored by the Department of Homeland Security or the 
Department of State. 172 The exercise cost approximately 16 million dollars and was 
intended, according to then Secretary Tom Ridge, as a test of “strategies, responses, and 
protocols [to enable participants to] learn a lot about...response capabilities.” 173 


168 FEMA, DOJ, “TOPOFF 2000 Report,” 1-46. 

169 Ibid., A-2. 

170 “TOPOFF Exercise Planning Conference Final Report: May 21, 1999,” 
http://www.gnyha.org/eprc/general/nbc/chemical/200202_ChemGuidebook.pdf. Accessed August 12, 
2006. 

171 U.S. Department of Flomeland Security, “TOPOFF 2 After-Action Report” (Washington, D.C., 
August 18, 2003), 219. 

172 U.S. Department of Flomeland Security, “Exercise T2 Evaluation Plan (EVALPLAN)” 
(Washington, D.C., May 2003), 2. 

173 John Mintz, Edward Walsh, “Fluge Homeland Security Drill Planned,” Washington Post, May 5, 
2003. 
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Unlike TOPOFF 2000, T2 was, depending on the participant, either a limited or a 
full-notice event. Participants were allowed to review much of the scenario, if they so 
desired. Many chose to avoid exposure to scenario infonnation to make the event a more 
realistic challenge. TOPOFF 2 exercise designers “deliberately erred in favor of 
maximizing continuous learning rather than sequestering the scenario.” 174 

TOPOFF 2 involved sixteen major exercise activities conducted for 103 federal, 
state, local, and international departments and agencies. 175 The exercise also involved 
extensive media coverage from both the real media and exercise player media. T2 was 
also the first exercise in the series to be conducted after the creation of the Department of 
Homeland Security, National Response Plan, National Incident Management System, and 
the Homeland Security Advisory System (HSAS). In addition, TOPOFF 2 was the first 
time the HSAS threat condition was raised to red (whether real or exercised). 176 

This second TOPOFF involved two full-scale response exercises: A Pneumonic 
Plague (Yersinia pestis) release in several Chicago metropolitan area locations and a 
radiological dispersal device explosion in Seattle. It also involved one of the largest 
hospital mass casualty exercises every conducted (64 hospitals in the Chicago metro 
area). 177 

Prevention and deterrence played a slightly greater role than in TOPOFF 2000. 
Neither venue (Seattle or Illinois), however, listed prevention or intelligence as one of its 
exercise objectives. Moreover, only four percent of federal agency participant objectives 
related to intelligence. 178 


174 U.S. Department of Homeland Security, “TOPOFF 2 After-Action Report” (Washington, D.C., 
August 18 2003), 218. 

175 Select Committee on Homeland Security - U.S. House of Representatives, “Statement of C. 
Suzanne Mencer” (Washington, D.C., July 8, 2004), 4. 

176 U.S. DHS, “TOPOFF2 AAR, 230. 

177 U.S. DHS, “TOPOFF2 AAR, 231. 

178 U.S. Department of Homeland Security, “Exercise T2 Evaluation Plan (EVALPLAN)” 
(Washington, D.C., May 2003), 11. 
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The following section is from the TOPOFF 2 After-Action Report: 179 

T2 intelligence play was purposefully designed to provide background 
support to drive the exercise scenario. For simplicity, T2 did not provide 
an opportunity for analytical review and development of intelligence. 

Several comments suggested including enough depth and complexity of 
notional intelligence processing to allow analysis play in real time. Such 
intelligence play should enable and promote the intelligence buildup at 
exercise commencement, and continue as a robust element of play 
throughout the event. The intelligence community should provide answers 
to requests for infonnation, including the production of “tear-lines” so that 
DHS can produce press releases based on product produced. This concept 
would support the concept of prevention, an important aspect of homeland 
security. 

The full-scale exercises in both states involved active opposition forces. This part 
of the scenario, however, was limited in scope to “tactical support by Seattle Police 
Department SWAT, U.S. Coast Guard, FBI SWAT in Seattle and in Illinois to the Illinois 
State Police and the FBI Hostage Rescue Team (HRT). 180 

Like TOPOFF 2000, intelligence was primarily used to drive exercise play. 
Unlike TOPOFF 2000, however, T2 involved “significant pre-exercise intelligence 
play.” 181 The “[full-scale exercise] de-emphasized attribution issues by making it 
relatively easy for authorities to discover that the attack was undertaken by GLODO (the 
fictionalized adversary). The exercise did less than it could have to test how the 
intelligence...machinery deals with a terrorist attack.” 182 The scenario involved a “swift 
and effective response by [law enforcement].” Terrorist’s safe houses were scripted to be 
identified within 36 hours of the initial attack. 183 


179 U.S. DHS, “TOPOFF2 AAR,” 226. 

180 U.S. DHS, “TOPOFF2 AAR, ”213-215. 

181 U.S. Department of Homeland Security, “Top Officials (TOPOFF) Exercise Series: TOPOFF 2 — 
After Action Summary Report for Public Release” (Washington, D.C., December 19, 2003), 2. 

182 Institute for International Studies Center for International Security & Cooperation, “Final Report: 
Top Officials 2 Full Scale Exercise, May 11-15, 2003” (Palo Alto, CA: Stanford University, 2003), 37. 

183 John Mintz, Edward Walsh, “Huge Homeland Security Drill Planned,” Washington Post, May 5, 
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Following is the timeline used in the Washington State portion of the exercise: 184 

D-60: Global indicators and warnings 

D-6: Increase in hostile cyber-activity; threat condition elevated from yellow to 
orange. U.S. intelligence picks up credible threats related to a notionalized 
terror group 

D-3: Credible threat against Columbia Generating Station 

D+l: Two terrorist suspects captured 

D+2: Terrorists attempt to flee the area and cross the U.S. Canadian border. 

One informal after-action comment about the Seattle full-scale exercise by an 
observer in the health field was that threats were not shared with the Department of 
Health and Human Services or other local authorities outside of law enforcement. 185 

3. TOPOFF 3 

The most recent TOPOFF exercise was TOPOFF 3 (T3), conducted April 4-8 
2005. Eight states and one territory applied to host the exercise before the States of 
Connecticut and New Jersey, along with jurisdictions from the United Kingdom and 
Canada, were selected to play. New Jersey exercised a biological release of pneumonic 
plague and Connecticut exercised a chemical explosion. International travelers were 
notionally exposed to the biological agent, which facilitated play with the United 
Kingdom and Canada. 

T3 was another limited-notice exercise. It involved approximately 22,000 
participants, 27 federal Departments and Agencies, 30 state, and 44 local departments 
and agencies, in addition to 156 private sector organizations across 4 separate venues. 
This exercise was billed as the largest, most complex, comprehensive, dynamic, and 
ambitious, counterterrorism exercise ever conducted in the U.S. it incorporated many 


184 U.S. Department of Homeland Security, “Exercise T2 Evaluation Plan (EVALPLAN)” 
(Washington, D.C., May 2003), 14-15. 

185 Andy Stevermer, Capt., “TOPOFF 2 in Seattle: Lessons and Challenges” (Seattle, WA: 
Presentation given August 2003, http://depts.washington.edu/nwcphp/siphp2003/summerinst.html)/. 
Accessed August 12, 2006. 
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more elements, roles and participants that in previous exercises. The exercise cost over 
21 million dollars. 186 Thirteen countries participated as observers. 187 

TOPOFF 3 involved the following cycle of activities: 188 

• Command Post Exercise (May, 2004) 

• Seminars and Planning Events 

• Advanced Distance Learning Exercises (January, 2005) 

• Simulated intelligence activities (March, 2005) 

• Full-Scale Exercises (April, 2005) 

• Large-Scale Game (May, 2005) 

• After-Action Conference (June, 2005) 

Prevention was an underlying theme in TOPOFF 3. Nationally, the exercises 
focused on four critical areas, one of which was intelligence/investigation, to test the 
flow, handling, and sharing of time-critical information. The State of Connecticut listed 
seven overarching objectives, one of which was to “examine interagency intelligence 
sharing processes required to prevent terrorist attacks.” 189 The State of New Jersey listed 
twelve over arching goals, one of which was to “explore the multi-level, operational 
coordination of intelligence and investigative authorities.” 190 Therefore, for the first time 
in a TOPOFF exercise, a significant prevention element was included. 

Unlike previous TOPOFF exercises, in T3 the adversary was fictionalized but 
based on real world terrorist groups. Exercise designers planned a simulated stream of 


186 U.S. Department of Homeland Security, Office of Inspections and Special Reviews, “A Review of 
the Top Officials 3 Exercise” (Washington, D.C., November 2005), 76. 

187 U.S. Department of Homeland Security - Press Release, “Transcript of Press Conference with 
Secretary of Homeland Security Michael Chertoff on the TOPOFF 3 Exercise” (Washington, D.C., April 4, 

2005) , 1. 

188 U.S. Department of Homeland Security - Press Release, “TOPOFF 3 Exercise Program Press Kit” 
(Washington, D.C., April 4, 2005), 1. 

189 College of Continuing Studies University of Connecticut, Homeland Security Education Center, 
“State of Connecticut TOPOFF 3 After-Action Report: Summary of Key Findings” (Storrs, CT, January 

2006) , 5. 

190 New Jersey Domestic Security Preparedness Task Force, “2004/2005 Progress Report” (January 
2006), 71. 
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intelligence involving “all intelligence agencies” 191 The goal of the intelligence was to 
influence player actions, create decision-making avenues, and provide participants with 
an opportunity to exercise against a realistic and adaptive adversary with the intent to test 
law enforcement and intelligence capabilities to detect, disrupt, and react to ambiguous 
and changing information as early as possible. The prevention aspect was intended to 
allow law enforcement and intelligence to fully deploy their operational procedures, 
engage their analysts, and provide vital information to exercise participants. 192 Unlike 
TOPOFF 2, the intelligence component of the exercises was crafted over an extended 
period by representatives from the various agencies participating in the exercise. Using 
this type of exercise design group requires a lead agency be designated to ensure 
participating planners stay on track. 

The FBI, and state and local law enforcement, were provided a stream of false 
information about several possible terrorist attacks for the four weeks preceding the full- 
scale exercises. The purpose of the infonnation was to provide an opportunity to piece 
together the puzzle and stop (at least one of) the attacks before they occurred. Both New 
Jersey and Connecticut each had one planned prevention event. 

Infonnation was disseminated to intelligence analysts via nonnal message traffic 
and intelligence reports. The FBI shared information via their Joint Terrorism Task 
Forces and via phone or secured fax. To be realistic, existing channels were used to share 
information and care was taken to not commingle notional intelligence with real 
intelligence. 193 The infonnation was delivered in small pieces along with the actual daily 
information processed by agencies. 194 


191 U.S. Department of Homeland Security - Press Release, “Transcript of Press Conference with 
Secretary of Homeland Security Michael Chertoff on the TOPOFF 3 Exercise” (Washington, D.C., April 4, 
2005), 2. 

192 DHS, “A Review of the T3 Exercise,” 44. 

193 Ibid., 18. 

194 A1 Pessin, “US Terrorism Exercise Test Prevention and Response,” Voice of America News, April 
8, 2005, http://www.voanews.come/english/archive/2005-04/2005-04-08- 

voa81 ,cfm?CFID=402571448&CFTOKEN=67519485. Accessed March 29, 2006. 
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The intelligence analysis led to “notionally successful search warrants and arrests 
being made prior to TOPOFF 3 deterring some of the possible attacks.” 195 Some attacks 
were scripted to occur regardless to ensure a realistic foundation for the response portions 
of the full-scale exercises. 

Most TOPOFF 3 after-action reports have not yet been published. The 
Department of Homeland Security’s Inspector General, while not granted enough access 
to the intelligence part of play to make official recommendations, did note that the 
secured messaging system and information collection and reporting structure was not 
sufficient to process and track the large volumes of information. 196 

Several additional lessons learned were identified during TOPOFF 3. Due to the 
complexity of intelligence and information sharing system, all intelligence players should 
be clearly identified in advance (see previous section on the Infonnation Sharing 
Environment Analysis). Designers should agree on a limited number of over-arching 
objectives that will apply to all agencies involved. In addition, team members must be 
flexible during the exercise design phase, understanding that prevention exercises are still 
a relatively new concept. Finally, planners found that it is important to have a strong 
personality as the lead exercise designer. 

4. TOPOFF 4 

TOPOFF 4 (T4), the next exercise in the TOPOFF series, is planned for October 
2007. Few details have been released about T4, however, six states and territories applied 
to host the exercises and three locations have been selected to participate: Oregon, 
Arizona, and the U.S. Territory of Guam. 197 The exercises will last ten days and involve 


195 College of Continuing Studies, “TOPOFF 3 AAR Summary,” 8. 

196 U.S. Department of Flomeland Security, Office of Inspections and Special Reviews, “A Review of 
the Top Officials 3 Exercise - Management Response to Draft Report” (Washington, D.C., November 
2005), 53. 

197 Andy Giegerich, “Portland Picked as Site for Terror Exercise,” The Business Journal of Portland, 
March 7, 2005. 
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simultaneous attacks in each venue. Up to 20,000 emergency workers are anticipated to 
be involved and observers are expected from many countries including Russia and 
Denmark. 198 

As of June 2006, the planning for TOPOFF 4 has included a three-day Command 
Post Exercise hosted in Northern Virginia. This continuity of government-oriented 
exercise was held in conjunction with exercises by FEMA and the FBI and involved 
4,000 participants. 199 

While prevention was an underlying theme for TOPOFF 3, it will become more of 
a primary focus in TOPOFF 4. The exercise will involve at least two significant 
prevention components, one each in Oregon and Guam. Intelligence play will begin 60 
days before the exercise, twice as long as was played during T3. The Arizona portion of 
the exercise will be a response-oriented command post exercise (CPX). 

From these examples, it is apparent that the difficult task of prevention, whether 
in training, exercising, or in the real world, is becoming increasingly important. Agencies 
facing this task should know that, while difficult, it is possible to conduct prevention 
exercises, or at least, to incorporate realistic prevention activities and scenarios into 
existing homeland security exercises. 


198 Mathew Benson, “Phoenix Balks on Tenor Drill,” The Arizona Republic, April 14, 2006. 

199 U.S. Department of Homeland Security - Office of the Press Secretary, “U.S. Department of 
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IV. CONCLUSION 


A good plan, well-rehearsed, is better than a perfect plan unrehearsed. 200 

General George S. Patton 

The purpose of exercises are to test and validate relevant policies, plans, 
procedures, training, equipment, and interagency agreements. Additionally, exercises 
help clarify and train personal in their individual and agency roles and responsibilities, 
which contributes to improved interagency coordination and communication. This can 
also improve professional relationships on the individual level. An exercise can be a form 
a gap-analysis, identifying resources and equipment needs. Exercises can improve 
individual performance and identify areas for improvement. This allows jurisdictions to 
focus their planning efforts on the areas of greatest need. The value of using the HSEEP 
methodology, in addition to being a requirement for some types of funding, ensures 
nationwide consistency and useful after-action reports and improvement plans. 

While recognizing the benefits of prevention-oriented activities, they do not come 
without cost. As mentioned earlier, the June 2005 New York State Pilot Prevention 
Exercise lasted for twenty-three days. 201 The dedication of this much time to an exercise 
is significant and the level of commitment required for a realistic prevention exercise 
may not be within the reach of every agency. Nevertheless, this fact does not reduce the 
importance of realistic exercising. 

The most effective method in assessing the ability to accomplish an objective is to 
allow tasks to be perfonned in a realistic environment as though they would in the real 
world. The evolution of a threat picture in any given scenario might take place over days, 
weeks, or months. In order to exercise these types of tasks and capabilities, it is best to 
put them in an environment where intelligence collection and analysis run their natural 

200 Col Timothy G. Malone, Schaupp, Maj Reagan E, “The Red Team: Forging a Well-Conceived 
Contingency Plan,” Aerospace Power Journal XVI, no. two (Summer 2002). 12. Note that Malone and 
Schaupp slightly modified the original quote. 

201 A1 Pessin, “US Terrorism Exercise Tests Prevention and Response,” Voice of America News, April 
8, 2005, http://www.voanews.eom/english/arehive/2005-04/2005-04-08-voa81.cfm//. Accessed March 25, 
2006. 
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life cycle. This allows the human aspect to play its role of deciding what is important, 
who to send information to, and when. Where a one day full-scale exercise might 
quantitatively exercise a capability to conduct mass decontamination, for example, there 
may now be a need to conduct a one month exercise to test whether a systematic 
approach to recognizing threat indicators (not always from law enforcement) are 
observed, reported and integrated into the continuous flow of information by many 
different systems. 

While this may all make sense, the question arises about why it appears to be so 
difficult. The reasons are many. As stated earlier, response exercises are easier to plan 
and conduct than prevention exercises because we are good (for the most part), at 
response. It is done every day by every local and state response organization in existence. 
Response exercises are relatively easy to budget and can be ‘seen’ by those in positions 
to approve them. Response exercises typically look the same from agency to agency. Fire 
trucks, police cars, medic units and others show up at a predestinated location and do 
what they do nearly every day. Prevention activities have no such consistency. Agencies 
cannot simply look to their fellow agencies and do what they have done, as, often times, 
they also are looking for guidance. Prevention as a science and a practice is still in its 
infancy. Maturity will come, but only with research, analysis, and more practice. 

This thesis strives to document and demonstrate that prevention can be exercised. 
It makes no claim that the task is easy, but the rewards are self-evident. Understanding 
that prevention can be practiced and exercised through the use of certain tools is one 
significant step in having the guidance necessary to begin a prevention exercise, or even 
better, a prevention exercise program. The tools cited, ‘all-crimes’, information sharing 
environment analysis, red teaming, attack trees, behavioral analysis, and inclusion of 
private sector security, can be used either individually or as a group to conduct exercises. 
These tools, however, are not the end-state, as other tools undoubtedly exist. 

This thesis also endeavors to provide a road map for agencies desiring to 

understand and exercise prevention activities. It has attempted to do so by identifying 

obstacles to prevention exercising, providing prevention tools, and finally, by providing 

specific exercise examples. Agencies using the described, and perhaps other, tools, 

88 



working with the Homeland Exercise and Evaluation Program (HSEEP) Guidelines, 
using the technical expertise available from local, national, and federal subject-matter 
experts, and reviewing other research, should have that road map. Most importantly, on¬ 
going, realistic prevention-oriented exercises may result in actual improvements in 
society’s ability to prevent terrorism. There is no loftier goal, or more compelling reason 
to test and exercise our best prevention efforts. 
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